changes: note about policy tree size limits and circumvention

Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/20569)
author: Pauli <pauli@openssl.org> 2023-03-15 14:29:22 +1100
committer: Pauli <pauli@openssl.org> 2023-03-22 11:42:30 +1100
commit: fa425f20955c7948faed27f69ae4544f89c108ea (patch)
tree: 759765e27ec1ca6f07b9c9384ea2057280fa0973 /CHANGES
parent: b44a67c6132754adc256290d0267c1e82994ac94 (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/CHANGES b/CHANGES
index f18b08cb0e..17caf6775b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,7 +9,13 @@
 
  Changes between 1.1.1t and 1.1.1u [xx XXX xxxx]
 
-  *)
+  *) Limited the number of nodes created in a policy tree to mitigate
+     against CVE-2023-0464.  The default limit is set to 1000 nodes, which
+     should be sufficient for most installations.  If required, the limit
+     can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build
+     time define to a desired maximum number of nodes or zero to allow
+     unlimited growth.
+     [Paul Dale]
 
  Changes between 1.1.1s and 1.1.1t [7 Feb 2023]
author	Pauli <pauli@openssl.org>	2023-03-15 14:29:22 +1100
committer	Pauli <pauli@openssl.org>	2023-03-22 11:42:30 +1100
commit	fa425f20955c7948faed27f69ae4544f89c108ea (patch)
tree	759765e27ec1ca6f07b9c9384ea2057280fa0973 /CHANGES
parent	b44a67c6132754adc256290d0267c1e82994ac94 (diff)