root
/
openssl
mirror of https://github.com/openssl/openssl.git
1
0
Fork 0
Code Issues Actions 7 Packages Projects Releases Wiki Activity

Updated CHANGES and NEWS for CVE-2024-6119 fix 

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(cherry picked from commit cf384d35aa)
This commit is contained in:
Viktor Dukhovni 2024-07-10 19:50:57 +10:00 committed by Tomas Mraz
parent 0890cd13d4
commit ca979e854b
2 changed files with 25 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
CHANGES.md
View File

@ -197,7 +197,21 @@ OpenSSL 3.4
OpenSSL 3.3
-----------
### Changes between 3.3.0 and 3.3.1 [xx XXX xxxx]
### Changes between 3.3.1 and 3.3.2 [xx XXX xxxx]
* Fixed possible denial of service in X.509 name checks.
Applications performing certificate name checks (e.g., TLS clients checking
server certificates) may attempt to read an invalid memory address when
comparing the expected name with an `otherName` subject alternative name of
an X.509 certificate. This may result in an exception that terminates the
application program.
[(CVE-2024-6119)]
*Viktor Dukhovni*
### Changes between 3.3.0 and 3.3.1 [4 Jun 2024]
* Fixed potential use after free after SSL_free_buffers() is called.
@ -20832,6 +20846,7 @@ ndif
<!-- Links -->
[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511

10
NEWS.md
View File

@ -88,7 +88,14 @@ This release adds the following new features:
OpenSSL 3.3
-----------
### Major changes between OpenSSL 3.3.0 and OpenSSL 3.3.1 [under development]
### Major changes between OpenSSL 3.3.1 and OpenSSL 3.3.2 [under development]
OpenSSL 3.3.2 is a security patch release. The most severe CVE fixed in this
release is Moderate.
* Fixed possible denial of service in X.509 name checks [(CVE-2024-6119)].
### Major changes between OpenSSL 3.3.0 and OpenSSL 3.3.1 [4 Jun 2024]
OpenSSL 3.3.1 is a security patch release. The most severe CVE fixed in this
release is Low.
@ -1796,6 +1803,7 @@ OpenSSL 0.9.x
<!-- Links -->
[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511