Update CHANGES/NEWS for new release

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>

1 files changed, 29 insertions, 0 deletions

diff --git a/CHANGES b/CHANGES
index ca60f359c9..a455201f52 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,35 @@
 
  Changes between 1.1.1m and 1.1.1n [xx XXX xxxx]
 
+  *) Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever
+     for non-prime moduli.
+
+     Internally this function is used when parsing certificates that contain
+     elliptic curve public keys in compressed form or explicit elliptic curve
+     parameters with a base point encoded in compressed form.
+
+     It is possible to trigger the infinite loop by crafting a certificate that
+     has invalid explicit curve parameters.
+
+     Since certificate parsing happens prior to verification of the certificate
+     signature, any process that parses an externally supplied certificate may
+     thus be subject to a denial of service attack. The infinite loop can also
+     be reached when parsing crafted private keys as they can contain explicit
+     elliptic curve parameters.
+
+     Thus vulnerable situations include:
+
+      - TLS clients consuming server certificates
+      - TLS servers consuming client certificates
+      - Hosting providers taking certificates or private keys from customers
+      - Certificate authorities parsing certification requests from subscribers
+      - Anything else which parses ASN.1 elliptic curve parameters
+
+     Also any other applications that use the BN_mod_sqrt() where the attacker
+     can control the parameter values are vulnerable to this DoS issue.
+     (CVE-2022-0778)
+     [Tomáš Mráz]
+
   *) Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489)
      to the list of ciphersuites providing Perfect Forward Secrecy as
      required by SECLEVEL >= 3.