diff options
author | Pauli <pauli@openssl.org> | 2023-03-15 18:43:11 +1100 |
---|---|---|
committer | Pauli <pauli@openssl.org> | 2023-03-22 11:25:50 +1100 |
commit | 83ff6cbd9a02ed713bf66f960ab9aea5fced49a3 (patch) | |
tree | 5b706e1f9c8e3c181aa18bd6252765f334b6a4fb /CHANGES.md | |
parent | cca6c050dbf8e377794303ec37aa43cb567afda1 (diff) |
changes: note about policy tree size limits and circumvention
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20571)
Diffstat (limited to 'CHANGES.md')
-rw-r--r-- | CHANGES.md | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/CHANGES.md b/CHANGES.md index 860f91d5f8..ed677aa815 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -240,7 +240,18 @@ OpenSSL 3.2 OpenSSL 3.1 ----------- -### Changes between 3.0 and 3.1.0 [xx XXX xxxx] +### Changes between 3.1.0 and 3.1.1 [xx XXX xxxx] + + * Limited the number of nodes created in a policy tree to mitigate + against CVE-2023-0464. The default limit is set to 1000 nodes, which + should be sufficient for most installations. If required, the limit + can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build + time define to a desired maximum number of nodes or zero to allow + unlimited growth. + + *Paul Dale* + +### Changes between 3.0 and 3.1.0 [14 Mar 2023] * Add FIPS provider configuration option to enforce the Extended Master Secret (EMS) check during the TLS1_PRF KDF. |