zzy/openssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add a CHANGES.md/NEWS.md entry for the unbounded memory growth bug

Browse Source 
Related to CVE-2024-2511

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24042)
This commit is contained in:
Matt Caswell 2024-03-05 16:01:20 +00:00 committed by Tomas Mraz
parent 7984fa683e
commit 03c4b0eab6
2 changed files with 31 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
CHANGES.md
View File

@ -173,6 +173,24 @@ OpenSSL 3.2
### Changes between 3.2.1 and 3.2.2 [xx XXX xxxx]
* Fixed an issue where some non-default TLS server configurations can cause
unbounded memory growth when processing TLSv1.3 sessions. An attacker may
exploit certain server configurations to trigger unbounded memory growth that
would lead to a Denial of Service
This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option
is being used (but not if early_data is also configured and the default
anti-replay protection is in use). In this case, under certain conditions,
the session cache can get into an incorrect state and it will fail to flush
properly as it fills. The session cache will continue to grow in an unbounded
manner. A malicious client could deliberately create the scenario for this
failure to force a Denial of Service. It may also happen by accident in
normal operation.
([CVE-2024-2511])
*Matt Caswell*
* Fixed bug where SSL_export_keying_material() could not be used with QUIC
connections. (#23560)
@ -20545,6 +20563,7 @@ ndif
<!-- Links -->
[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
[CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
[CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237
[CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129

13
NEWS.md
View File

@ -29,7 +29,17 @@ OpenSSL 3.3
OpenSSL 3.2
-----------
### Major changes between OpenSSL 3.2.0 and OpenSSL 3.2.1 [under development]
### Major changes between OpenSSL 3.2.1 and OpenSSL 3.2.2 [under development]
OpenSSL 3.2.2 is a security patch release. The most severe CVE fixed in this
release is Low.
This release incorporates the following bug fixes and mitigations:
* Fixed unbounded memory growth with session handling in TLSv1.3
([CVE-2024-2511])
### Major changes between OpenSSL 3.2.0 and OpenSSL 3.2.1 [30 Jan 2024]
OpenSSL 3.2.1 is a security patch release. The most severe CVE fixed in this
release is Low.
@ -1592,6 +1602,7 @@ OpenSSL 0.9.x
<!-- Links -->
[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
[CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
[CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237
[CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129