From 4975571a5dee8957f43aff70272dd9ab89f582cf Mon Sep 17 00:00:00 2001
From: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Thu, 5 Dec 2019 01:20:14 +0100
Subject: Add a CHANGES entry for CVE-2019-1551

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10576)
---
 CHANGES | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index df613740a9..f28ff6eab6 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,7 +9,17 @@
 
  Changes between 1.0.2t and 1.0.2u [xx XXX xxxx]
 
-  *)
+  *) Fixed an an overflow bug in the x64_64 Montgomery squaring procedure
+     used in exponentiation with 512-bit moduli. No EC algorithms are
+     affected. Analysis suggests that attacks against 2-prime RSA1024,
+     3-prime RSA1536, and DSA1024 as a result of this defect would be very
+     difficult to perform and are not believed likely. Attacks against DH512
+     are considered just feasible. However, for an attack the target would
+     have to re-use the DH512 private key, which is not recommended anyway.
+     Also applications directly using the low level API BN_mod_exp may be
+     affected if they use BN_FLG_CONSTTIME.
+     (CVE-2019-1551)
+     [Andy Polyakov]
 
  Changes between 1.0.2s and 1.0.2t [10 Sep 2019]
 
-- 
cgit v1.2.3