changes: note about policy tree size limits and circumvention

Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/20571)
author: Pauli <pauli@openssl.org> 2023-03-15 18:43:11 +1100
committer: Pauli <pauli@openssl.org> 2023-03-22 11:25:50 +1100
commit: 83ff6cbd9a02ed713bf66f960ab9aea5fced49a3 (patch)
tree: 5b706e1f9c8e3c181aa18bd6252765f334b6a4fb /CHANGES.md
parent: cca6c050dbf8e377794303ec37aa43cb567afda1 (diff)
1 files changed, 12 insertions, 1 deletions
diff --git a/CHANGES.md b/CHANGES.md
index 860f91d5f8..ed677aa815 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -240,7 +240,18 @@ OpenSSL 3.2
 OpenSSL 3.1
 -----------
 
-### Changes between 3.0 and 3.1.0 [xx XXX xxxx]
+### Changes between 3.1.0 and 3.1.1 [xx XXX xxxx]
+
+ * Limited the number of nodes created in a policy tree to mitigate
+   against CVE-2023-0464.  The default limit is set to 1000 nodes, which
+   should be sufficient for most installations.  If required, the limit
+   can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build
+   time define to a desired maximum number of nodes or zero to allow
+   unlimited growth.
+
+   *Paul Dale*
+
+### Changes between 3.0 and 3.1.0 [14 Mar 2023]
 
  * Add FIPS provider configuration option to enforce the
    Extended Master Secret (EMS) check during the TLS1_PRF KDF.
author	Pauli <pauli@openssl.org>	2023-03-15 18:43:11 +1100
committer	Pauli <pauli@openssl.org>	2023-03-22 11:25:50 +1100
commit	83ff6cbd9a02ed713bf66f960ab9aea5fced49a3 (patch)
tree	5b706e1f9c8e3c181aa18bd6252765f334b6a4fb /CHANGES.md
parent	cca6c050dbf8e377794303ec37aa43cb567afda1 (diff)