Update CHANGES and NEWS for new release

Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/7667)
author: Matt Caswell <matt@openssl.org> 2018-11-20 10:52:53 +0000
committer: Matt Caswell <matt@openssl.org> 2018-11-20 11:57:17 +0000
commit: 548cce63dd401b89e26d049152e3f9465f82720f (patch)
tree: f3c5bb0ecbe0bed0b5f089c54cffe640fcc08ae1
parent: d88ff8962c2fd86aeb7ca7297ca9526d0916787e (diff)
2 files changed, 12 insertions, 1 deletions
diff --git a/CHANGES b/CHANGES
index fde66b5ba4..11d72327c5 100644
--- a/CHANGES
+++ b/CHANGES
@@ -22,6 +22,16 @@
      (CVE-2018-5407)
      [Billy Brumley]
 
+  *) Timing vulnerability in DSA signature generation
+
+     The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
+     timing side channel attack. An attacker could use variations in the signing
+     algorithm to recover the private key.
+
+     This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
+     (CVE-2018-0734)
+     [Paul Dale]
+
   *) Resolve a compatibility issue in EC_GROUP handling with the FIPS Object
      Module, accidentally introduced while backporting security fixes from the
      development branch and hindering the use of ECC in FIPS mode.
diff --git a/NEWS b/NEWS
index 2c5f5f8330..38fe668ffa 100644
--- a/NEWS
+++ b/NEWS
@@ -7,7 +7,8 @@
 
   Major changes between OpenSSL 1.0.2p and OpenSSL 1.0.2q [under development]
 
-      o
+      o Microarchitecture timing vulnerability in ECC scalar multiplication (CVE-2018-5407)
+      o Timing vulnerability in DSA signature generation (CVE-2018-0734)
 
   Major changes between OpenSSL 1.0.2o and OpenSSL 1.0.2p [14 Aug 2018]
author	Matt Caswell <matt@openssl.org>	2018-11-20 10:52:53 +0000
committer	Matt Caswell <matt@openssl.org>	2018-11-20 11:57:17 +0000
commit	548cce63dd401b89e26d049152e3f9465f82720f (patch)
tree	f3c5bb0ecbe0bed0b5f089c54cffe640fcc08ae1
parent	d88ff8962c2fd86aeb7ca7297ca9526d0916787e (diff)