diff options
| author | Tomas Mraz <tomas@openssl.org> | 2024-06-03 16:52:29 +0200 |
|---|---|---|
| committer | Tomas Mraz <tomas@openssl.org> | 2024-06-04 14:38:57 +0200 |
| commit | e815e0bd40b8967224af430a2f64cba876b3ea6c (patch) | |
| tree | a1ca5c44dd2b00b68d6f88421238f38877cde3cf | |
| parent | 0324602e8ae25cc4698164b583ee54208e65695c (diff) | |
Update CHANGES.md and NEWS.md for the upcoming release
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24550)
(cherry picked from commit 3fa9df5f1d0f12d1d488aaa0fc46bb533d3870f0)
| -rw-r--r-- | CHANGES.md | 25 | ||||
| -rw-r--r-- | NEWS.md | 9 |
2 files changed, 34 insertions, 0 deletions
diff --git a/CHANGES.md b/CHANGES.md index 7352e7e392..290f346dd9 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -24,6 +24,29 @@ OpenSSL 3.1 ### Changes between 3.1.5 and 3.1.6 [xx XXX xxxx] + * Fixed potential use after free after SSL_free_buffers() is called. + + The SSL_free_buffers function is used to free the internal OpenSSL + buffer used when processing an incoming record from the network. + The call is only expected to succeed if the buffer is not currently + in use. However, two scenarios have been identified where the buffer + is freed even when still in use. + + The first scenario occurs where a record header has been received + from the network and processed by OpenSSL, but the full record body + has not yet arrived. In this case calling SSL_free_buffers will succeed + even though a record has only been partially processed and the buffer + is still in use. + + The second scenario occurs where a full record containing application + data has been received and processed by OpenSSL but the application has + only read part of this data. Again a call to SSL_free_buffers will + succeed even though the buffer is still in use. + + ([CVE-2024-4741]) + + *Matt Caswell* + * Fixed an issue where checking excessively long DSA keys or parameters may be very slow. @@ -19991,6 +20014,8 @@ ndif <!-- Links --> +[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741 +[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603 [CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511 [CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727 [CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237 @@ -21,6 +21,13 @@ OpenSSL 3.1 ### Major changes between OpenSSL 3.1.5 and OpenSSL 3.1.6 [under development] + * Fixed potential use after free after SSL_free_buffers() is called + ([CVE-2024-4741]) + + * Fixed an issue where checking excessively long DSA keys or parameters may + be very slow + ([CVE-2024-4603]) + * Fixed unbounded memory growth with session handling in TLSv1.3 ([CVE-2024-2511]) @@ -1491,6 +1498,8 @@ OpenSSL 0.9.x <!-- Links --> +[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741 +[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603 [CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511 [CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727 [CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237 |