Add CHANGES.md and NEWS.md entries for CVE-2023-2975

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21384)

1 files changed, 6 insertions, 4 deletions

diff --git a/NEWS.md b/NEWS.md
index 519c691c82..7bfc645626 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -39,10 +39,11 @@ OpenSSL 3.1
 
 ### Major changes between OpenSSL 3.1.1 and OpenSSL 3.1.2 [under development]
 
- * When building with the `enable-fips` option and using the resulting
-   FIPS provider, TLS 1.2 will, by default, mandate the use of an
-   extended master secret and the Hash and HMAC DRBGs will not operate
-   with truncated digests.
+  * Do not ignore empty associated data entries with AES-SIV ([CVE-2023-2975])
+  * When building with the `enable-fips` option and using the resulting
+    FIPS provider, TLS 1.2 will, by default, mandate the use of an
+    extended master secret and the Hash and HMAC DRBGs will not operate
+    with truncated digests.
 
 ### Major changes between OpenSSL 3.1.0 and OpenSSL 3.1.1 [30 May 2023]
 
@@ -1479,6 +1480,7 @@ OpenSSL 0.9.x
 
 <!-- Links -->
 
+[CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975
 [CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650
 [CVE-2023-1255]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-1255
 [CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466