diff options
author | Matt Caswell <matt@openssl.org> | 2024-03-05 16:01:20 +0000 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2024-04-08 12:10:42 +0200 |
commit | daee101e39073d4b65a68faeb2f2de5ad7b05c36 (patch) | |
tree | 9ca95b6384fa45a3c5c20d82e89d6f79f068962c | |
parent | b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d (diff) |
Add a CHANGES.md/NEWS.md entry for the unbounded memory growth bug
Related to CVE-2024-2511
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24044)
(cherry picked from commit e32ad41b48c28d82339de064b05d5e269e5aed97)
-rw-r--r-- | CHANGES.md | 19 | ||||
-rw-r--r-- | NEWS.md | 4 |
2 files changed, 22 insertions, 1 deletions
diff --git a/CHANGES.md b/CHANGES.md index b42dd83bc0..5590704670 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -30,6 +30,24 @@ breaking changes, and mappings for the large list of deprecated functions. ### Changes between 3.0.13 and 3.0.14 [xx XXX xxxx] + * Fixed an issue where some non-default TLS server configurations can cause + unbounded memory growth when processing TLSv1.3 sessions. An attacker may + exploit certain server configurations to trigger unbounded memory growth that + would lead to a Denial of Service + + This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option + is being used (but not if early_data is also configured and the default + anti-replay protection is in use). In this case, under certain conditions, + the session cache can get into an incorrect state and it will fail to flush + properly as it fills. The session cache will continue to grow in an unbounded + manner. A malicious client could deliberately create the scenario for this + failure to force a Denial of Service. It may also happen by accident in + normal operation. + + ([CVE-2024-2511]) + + *Matt Caswell* + * New atexit configuration switch, which controls whether the OPENSSL_cleanup is registered when libcrypto is unloaded. This can be used on platforms where using atexit() from shared libraries causes crashes on exit. @@ -19832,6 +19850,7 @@ ndif <!-- Links --> +[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511 [CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727 [CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237 [CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129 @@ -20,7 +20,8 @@ OpenSSL 3.0 ### Major changes between OpenSSL 3.0.13 and OpenSSL 3.0.14 [under development] - * none + * Fixed unbounded memory growth with session handling in TLSv1.3 + ([CVE-2024-2511]) ### Major changes between OpenSSL 3.0.12 and OpenSSL 3.0.13 [30 Jan 2024] @@ -1474,6 +1475,7 @@ OpenSSL 0.9.x <!-- Links --> +[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511 [CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727 [CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237 [CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129 |