zzy/openssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add CVE-2024-5535 to CHANGES and NEWS

Browse Source 
Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes
(cherry picked from commit abcb0f83d060eb816503a6a36959ce8498a24111)
This commit is contained in:
Tomas Mraz 2024-09-03 12:24:58 +02:00
parent ca979e854b
commit 03b22b4d73
2 changed files with 20 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
CHANGES.md
View File

@ -207,10 +207,20 @@ OpenSSL 3.3
an X.509 certificate. This may result in an exception that terminates the an X.509 certificate. This may result in an exception that terminates the
application program. application program.
[(CVE-2024-6119)] ([CVE-2024-6119])
*Viktor Dukhovni* *Viktor Dukhovni*
* Fixed possible buffer overread in SSL_select_next_proto().
Calling the OpenSSL API function SSL_select_next_proto with an empty
supported client protocols buffer may cause a crash or memory contents
to be sent to the peer.
([CVE-2024-5535])
*Matt Caswell*
### Changes between 3.3.0 and 3.3.1 [4 Jun 2024] ### Changes between 3.3.0 and 3.3.1 [4 Jun 2024]
* Fixed potential use after free after SSL_free_buffers() is called. * Fixed potential use after free after SSL_free_buffers() is called.
@ -20847,6 +20857,7 @@ ndif
<!-- Links --> <!-- Links -->
[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119 [CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
[CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741 [CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603 [CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511 [CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511

9
NEWS.md
View File

@ -93,7 +93,13 @@ OpenSSL 3.3
OpenSSL 3.3.2 is a security patch release. The most severe CVE fixed in this OpenSSL 3.3.2 is a security patch release. The most severe CVE fixed in this
release is Moderate. release is Moderate.
* Fixed possible denial of service in X.509 name checks [(CVE-2024-6119)]. This release incorporates the following bug fixes and mitigations:
* Fixed possible denial of service in X.509 name checks
([CVE-2024-6119])
* Fixed possible buffer overread in SSL_select_next_proto()
([CVE-2024-5535])
### Major changes between OpenSSL 3.3.0 and OpenSSL 3.3.1 [4 Jun 2024] ### Major changes between OpenSSL 3.3.0 and OpenSSL 3.3.1 [4 Jun 2024]
@ -1804,6 +1810,7 @@ OpenSSL 0.9.x
<!-- Links --> <!-- Links -->
[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119 [CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
[CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741 [CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603 [CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511 [CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511