changes and news entries for CVE-2023-5363

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 3f636830e4dcfe9b6ab57bef42c0b3a1de194399)

2 files changed, 9 insertions, 2 deletions

diff --git a/CHANGES.md b/CHANGES.md
index 61efa01bb6..6d0f495dcc 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -30,7 +30,11 @@ breaking changes, and mappings for the large list of deprecated functions.
 
 ### Changes between 3.0.11 and 3.0.12 [xx XXX xxxx]
 
- * none yet
+ * Fix incorrect key and IV resizing issues when calling EVP_EncryptInit_ex2(),
+   EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() with OSSL_PARAM parameters
+   that alter the key or IV length ([CVE-2023-5363]).
+
+   *Paul Dale*
 
 ### Changes between 3.0.10 and 3.0.11 [19 Sep 2023]
 
@@ -19736,6 +19740,7 @@ ndif
 
 <!-- Links -->
 
+[CVE-2023-5363]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5363
 [CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807
 [CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817
 [CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446
diff --git a/NEWS.md b/NEWS.md
index 72f78d581e..b4e57b7fd8 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -20,7 +20,8 @@ OpenSSL 3.0
 
 ### Major changes between OpenSSL 3.0.11 and OpenSSL 3.0.12 [under development]
 
-  * none
+  * Mitigate incorrect resize handling for symmetric cipher keys and IVs.
+    ([CVE-2023-5363])
 
 ### Major changes between OpenSSL 3.0.10 and OpenSSL 3.0.11 [19 Sep 2023]
 
@@ -1457,6 +1458,7 @@ OpenSSL 0.9.x
 
 <!-- Links -->
 
+[CVE-2023-5363]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5363
 [CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807
 [CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817
 [CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446