Update CHANGES and NEWS for security release

Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit f86bfcc4e0)
2025-02-11 08:36:29 -05:00 · 2025-02-11 08:36:29 -05:00 · 99d9e3792d
parent b0bbd22a46
commit 99d9e3792d
2 changed files with 15 additions and 1 deletions
--- a/CHANGES.md
+++ b/CHANGES.md
@ -27,6 +27,17 @@ OpenSSL 3.2

 ### Changes between 3.2.3 and 3.2.4 [xx XXX xxxx]

+ * Fixed RFC7250 handshakes with unauthenticated servers don't abort as expected.
+
+   Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a
+   server may fail to notice that the server was not authenticated, because
+   handshakes don't abort as expected when the SSL_VERIFY_PEER verification mode
+   is set.
+
+   ([CVE-2024-12797])
+
+   *Viktor Dukhovni*
+
 * Fixed timing side-channel in ECDSA signature computation.

   There is a timing signal of around 300 nanoseconds when the top word of
--- a/NEWS.md
+++ b/NEWS.md
@ -23,10 +23,13 @@ OpenSSL 3.2
 ### Major changes between OpenSSL 3.2.3 and OpenSSL 3.2.4 [under development]

 OpenSSL 3.2.4 is a security patch release. The most severe CVE fixed in this
-release is Low.
+release is High.

 This release incorporates the following bug fixes and mitigations:

+  * Fixed RFC7250 handshakes with unauthenticated servers don't abort as expected.
+    ([CVE-2024-12797])
+
  * Fixed timing side-channel in ECDSA signature computation.
    ([CVE-2024-13176])