From ae20c423f9b86956267ea82bd678179e9d648bad Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 3 Jun 2024 16:46:41 +0200 Subject: [PATCH] Update CHANGES.md and NEWS.md for the upcoming release Reviewed-by: Matt Caswell Reviewed-by: Tom Cosgrove (Merged from https://github.com/openssl/openssl/pull/24549) (cherry picked from commit 6152b08631568551f155f9d8219298f55aef5d94) --- CHANGES.md | 25 +++++++++++++++++++++++++ NEWS.md | 20 +++++++++++++++++++- 2 files changed, 44 insertions(+), 1 deletion(-) diff --git a/CHANGES.md b/CHANGES.md index 2557ae113717f..49dbe58502630 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -100,6 +100,29 @@ OpenSSL 3.3 ### Changes between 3.3.0 and 3.3.1 [xx XXX xxxx] + * Fixed potential use after free after SSL_free_buffers() is called. + + The SSL_free_buffers function is used to free the internal OpenSSL + buffer used when processing an incoming record from the network. + The call is only expected to succeed if the buffer is not currently + in use. However, two scenarios have been identified where the buffer + is freed even when still in use. + + The first scenario occurs where a record header has been received + from the network and processed by OpenSSL, but the full record body + has not yet arrived. In this case calling SSL_free_buffers will succeed + even though a record has only been partially processed and the buffer + is still in use. + + The second scenario occurs where a full record containing application + data has been received and processed by OpenSSL but the application has + only read part of this data. Again a call to SSL_free_buffers will + succeed even though the buffer is still in use. + + ([CVE-2024-4741]) + + *Matt Caswell* + * Fixed an issue where checking excessively long DSA keys or parameters may be very slow. @@ -20702,6 +20725,8 @@ ndif +[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741 +[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603 [CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511 [CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727 [CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237 diff --git a/NEWS.md b/NEWS.md index 3196a06254184..bc8b40ee7353c 100644 --- a/NEWS.md +++ b/NEWS.md @@ -33,7 +33,21 @@ This release is in development. OpenSSL 3.3 ----------- -### Major changes between OpenSSL 3.2 and OpenSSL 3.3 [under development] +### Major changes between OpenSSL 3.3.0 and OpenSSL 3.3.1 [under development] + +OpenSSL 3.3.1 is a security patch release. The most severe CVE fixed in this +release is Low. + +This release incorporates the following bug fixes and mitigations: + + * Fixed potential use after free after SSL_free_buffers() is called + ([CVE-2024-4741]) + + * Fixed an issue where checking excessively long DSA keys or parameters may + be very slow + ([CVE-2024-4603]) + +### Major changes between OpenSSL 3.2 and OpenSSL 3.3.0 [9 Apr 2024] OpenSSL 3.3.0 is a feature release adding significant new functionality to OpenSSL. @@ -171,8 +185,10 @@ This release incorporates the following bug fixes and mitigations: * Fixed PKCS12 Decoding crashes ([CVE-2024-0727]) + * Fixed excessive time spent checking invalid RSA public keys ([CVE-2023-6237]) + * Fixed POLY1305 MAC implementation corrupting vector registers on PowerPC CPUs which support PowerISA 2.07 ([CVE-2023-6129]) @@ -1725,6 +1741,8 @@ OpenSSL 0.9.x +[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741 +[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603 [CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511 [CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727 [CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237