Update CHANGES and NEWS for the new release

Reviewed-by: Richard Levitte <levitte@openssl.org>
author: Matt Caswell <matt@openssl.org> 2018-03-27 10:58:34 +0100
committer: Matt Caswell <matt@openssl.org> 2018-03-27 13:33:09 +0100
commit: b621f604e9b52ce8f568b6d3677a19b1e862613a (patch)
tree: f0c5e3ab3824a53d178e9163bf0b7d22a7431ba4
parent: 9310d45087ae546e27e61ddf8f6367f29848220d (diff)
2 files changed, 14 insertions, 2 deletions
diff --git a/CHANGES b/CHANGES
index f2bc2b321d..5e6295c00f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,7 +9,18 @@
 
  Changes between 1.0.2n and 1.0.2o [xx XXX xxxx]
 
-  *)
+  *) Constructed ASN.1 types with a recursive definition could exceed the stack
+
+     Constructed ASN.1 types with a recursive definition (such as can be found
+     in PKCS7) could eventually exceed the stack given malicious input with
+     excessive recursion. This could result in a Denial Of Service attack. There
+     are no such structures used within SSL/TLS that come from untrusted sources
+     so this is considered safe.
+
+     This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz
+     project.
+     (CVE-2018-0739)
+     [Matt Caswell]
 
  Changes between 1.0.2m and 1.0.2n [7 Dec 2017]
 
diff --git a/NEWS b/NEWS
index f688c5aa55..3cf97937f8 100644
--- a/NEWS
+++ b/NEWS
@@ -7,7 +7,8 @@
 
   Major changes between OpenSSL 1.0.2n and OpenSSL 1.0.2o [under development]
 
-      o
+      o Constructed ASN.1 types with a recursive definition could exceed the
+        stack (CVE-2018-0739)
 
   Major changes between OpenSSL 1.0.2m and OpenSSL 1.0.2n [7 Dec 2017]
author	Matt Caswell <matt@openssl.org>	2018-03-27 10:58:34 +0100
committer	Matt Caswell <matt@openssl.org>	2018-03-27 13:33:09 +0100
commit	b621f604e9b52ce8f568b6d3677a19b1e862613a (patch)
tree	f0c5e3ab3824a53d178e9163bf0b7d22a7431ba4
parent	9310d45087ae546e27e61ddf8f6367f29848220d (diff)