diff --git a/CHANGES.md b/CHANGES.md index 74e5d4bcbbe697f437b04eeda3d0d3d071bb886f..23c5c564e2004b07fb667420cd87c77d989ab2be 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -28,7 +28,17 @@ OpenSSL 3.3 ### Changes between 3.3.1 and 3.3.2 [xx XXX xxxx] - * none yet + * Fixed possible denial of service in X.509 name checks. + + Applications performing certificate name checks (e.g., TLS clients checking + server certificates) may attempt to read an invalid memory address when + comparing the expected name with an `otherName` subject alternative name of + an X.509 certificate. This may result in an exception that terminates the + application program. + + [(CVE-2024-6119)] + + *Viktor Dukhovni* ### Changes between 3.3.0 and 3.3.1 [4 Jun 2024] @@ -20665,6 +20675,7 @@ ndif <!-- Links --> +[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119 [CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741 [CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603 [CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511 diff --git a/NEWS.md b/NEWS.md index 26e0998b7a7b78c24f3c9d9756253e197c40fb05..115cbaab01b72b0d4f4821c4c8902fc6c9196ec8 100644 --- a/NEWS.md +++ b/NEWS.md @@ -23,7 +23,10 @@ OpenSSL 3.3 ### Major changes between OpenSSL 3.3.1 and OpenSSL 3.3.2 [under development] - * none +OpenSSL 3.3.2 is a security patch release. The most severe CVE fixed in this +release is Moderate. + + * Fixed possible denial of service in X.509 name checks [(CVE-2024-6119)]. ### Major changes between OpenSSL 3.3.0 and OpenSSL 3.3.1 [4 Jun 2024] @@ -1733,6 +1736,7 @@ OpenSSL 0.9.x <!-- Links --> +[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119 [CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741 [CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603 [CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511