diff options
| -rw-r--r-- | CHANGES.md | 19 | ||||
| -rw-r--r-- | NEWS.md | 13 |
2 files changed, 31 insertions, 1 deletions
diff --git a/CHANGES.md b/CHANGES.md index 559a69f518..8fd34ac467 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -173,6 +173,24 @@ OpenSSL 3.2 ### Changes between 3.2.1 and 3.2.2 [xx XXX xxxx] + * Fixed an issue where some non-default TLS server configurations can cause + unbounded memory growth when processing TLSv1.3 sessions. An attacker may + exploit certain server configurations to trigger unbounded memory growth that + would lead to a Denial of Service + + This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option + is being used (but not if early_data is also configured and the default + anti-replay protection is in use). In this case, under certain conditions, + the session cache can get into an incorrect state and it will fail to flush + properly as it fills. The session cache will continue to grow in an unbounded + manner. A malicious client could deliberately create the scenario for this + failure to force a Denial of Service. It may also happen by accident in + normal operation. + + ([CVE-2024-2511]) + + *Matt Caswell* + * Fixed bug where SSL_export_keying_material() could not be used with QUIC connections. (#23560) @@ -20545,6 +20563,7 @@ ndif <!-- Links --> +[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511 [CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727 [CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237 [CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129 @@ -29,7 +29,17 @@ OpenSSL 3.3 OpenSSL 3.2 ----------- -### Major changes between OpenSSL 3.2.0 and OpenSSL 3.2.1 [under development] +### Major changes between OpenSSL 3.2.1 and OpenSSL 3.2.2 [under development] + +OpenSSL 3.2.2 is a security patch release. The most severe CVE fixed in this +release is Low. + +This release incorporates the following bug fixes and mitigations: + + * Fixed unbounded memory growth with session handling in TLSv1.3 + ([CVE-2024-2511]) + +### Major changes between OpenSSL 3.2.0 and OpenSSL 3.2.1 [30 Jan 2024] OpenSSL 3.2.1 is a security patch release. The most severe CVE fixed in this release is Low. @@ -1592,6 +1602,7 @@ OpenSSL 0.9.x <!-- Links --> +[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511 [CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727 [CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237 [CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129 |