Update CHANGES and NEWS

Update the CHANGES and NEWS files for the new release. Reviewed-by: Rich Salz <rsalz@openssl.org>
author: Matt Caswell <matt@openssl.org> 2015-12-01 14:39:47 +0000
committer: Matt Caswell <matt@openssl.org> 2015-12-02 23:38:02 +0000
commit: 35c8d0d85fe71e41eb990655b249e398c7fd1435 (patch)
tree: 0beea65f2cd043af48fd833333b5e3e1be0f83de
parent: 2cdafc51f008e65b2d5263a80ad0e89e9b56c8d3 (diff)
2 files changed, 12 insertions, 2 deletions
diff --git a/CHANGES b/CHANGES
index ed2f0ecff3..fb36e9eff8 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,7 +4,17 @@
 
  Changes between 0.9.8zg and 0.9.8zh [xx XXX xxxx]
 
-  *)
+  *) X509_ATTRIBUTE memory leak
+
+     When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak
+     memory. This structure is used by the PKCS#7 and CMS routines so any
+     application which reads PKCS#7 or CMS data from untrusted sources is
+     affected. SSL/TLS is not affected.
+
+     This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using
+     libFuzzer.
+     (CVE-2015-3195)
+     [Stephen Henson]
 
  Changes between 0.9.8zf and 0.9.8zg [11 Jun 2015]
 
diff --git a/NEWS b/NEWS
index 4ffbbab0cd..2ddf2f8aef 100644
--- a/NEWS
+++ b/NEWS
@@ -7,7 +7,7 @@
 
   Major changes between OpenSSL 0.9.8zg and OpenSSL 0.9.8zh [under development]
 
-      o
+      o X509_ATTRIBUTE memory leak (CVE-2015-3195)
 
   Major changes between OpenSSL 0.9.8zf and OpenSSL 0.9.8zg [11 Jun 2015]
author	Matt Caswell <matt@openssl.org>	2015-12-01 14:39:47 +0000
committer	Matt Caswell <matt@openssl.org>	2015-12-02 23:38:02 +0000
commit	35c8d0d85fe71e41eb990655b249e398c7fd1435 (patch)
tree	0beea65f2cd043af48fd833333b5e3e1be0f83de
parent	2cdafc51f008e65b2d5263a80ad0e89e9b56c8d3 (diff)