From 73e044bd1aa3ff00e189624b4807e15e8de8f8e4 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Tue, 26 Apr 2022 14:39:34 +0100
Subject: Update CHANGES and NEWS for new release

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes
---
 NEWS.md | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'NEWS.md')

diff --git a/NEWS.md b/NEWS.md
index 99e8c715d3..630c57ae53 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -29,6 +29,17 @@ OpenSSL 3.1
 OpenSSL 3.0
 -----------
 
+### Major changes between OpenSSL 3.0.2 and OpenSSL 3.0.3
+
+  * Fixed a bug in the c_rehash script which was not properly sanitising shell
+    metacharacters to prevent command injection ([CVE-2022-1292])
+  * Fixed a bug in the function `OCSP_basic_verify` that verifies the signer
+    certificate on an OCSP response ([CVE-2022-1343])
+  * Fixed a bug where the RC4-MD5 ciphersuite incorrectly used the
+    AAD data as the MAC key ([CVE-2022-1434])
+  * Fix a bug in the OPENSSL_LH_flush() function that breaks reuse of the memory
+    occuppied by the removed hash table entries ([CVE-2022-1473])
+
 ### Major changes between OpenSSL 3.0.1 and OpenSSL 3.0.2
 
   * Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever
-- 
cgit v1.2.3