Updates CHANGES and NEWS for new release

Reviewed-by: Richard Levitte <levitte@openssl.org>
author: Matt Caswell <matt@openssl.org> 2016-09-26 09:43:45 +0100
committer: Matt Caswell <matt@openssl.org> 2016-09-26 10:24:37 +0100
commit: 3133c2d3067c6add91cf370b0b8342d891b8e97a (patch)
tree: 53bad7962c333579cfd7ccc249bca2def9bfc84f /CHANGES
parent: 44f206aa9dfd4f226f17d9093732dbece5300aa6 (diff)
1 files changed, 17 insertions, 0 deletions
diff --git a/CHANGES b/CHANGES
index 97e70ac5ef..eb18673f66 100644
--- a/CHANGES
+++ b/CHANGES
@@ -11,6 +11,23 @@
      https://www.akkadia.org/drepper/SHA-crypt.txt
      [Richard Levitte]
 
+ Changes between 1.1.0a and 1.1.0b [26 Sep 2016]
+
+  *) Fix Use After Free for large message sizes
+
+     The patch applied to address CVE-2016-6307 resulted in an issue where if a
+     message larger than approx 16k is received then the underlying buffer to
+     store the incoming message is reallocated and moved. Unfortunately a
+     dangling pointer to the old location is left which results in an attempt to
+     write to the previously freed location. This is likely to result in a
+     crash, however it could potentially lead to execution of arbitrary code.
+
+     This issue only affects OpenSSL 1.1.0a.
+
+     This issue was reported to OpenSSL by Robert Święcki.
+     (CVE-2016-6309)
+     [Matt Caswell]
+
  Changes between 1.1.0 and 1.1.0a [22 Sep 2016]
 
   *) OCSP Status Request extension unbounded memory growth
author	Matt Caswell <matt@openssl.org>	2016-09-26 09:43:45 +0100
committer	Matt Caswell <matt@openssl.org>	2016-09-26 10:24:37 +0100
commit	3133c2d3067c6add91cf370b0b8342d891b8e97a (patch)
tree	53bad7962c333579cfd7ccc249bca2def9bfc84f /CHANGES
parent	44f206aa9dfd4f226f17d9093732dbece5300aa6 (diff)