zzy/openssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add CHANGES.md and NEWS.md entries for CVE-2024-9143

Browse Source 
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/25734)

(cherry picked from commit 233034bc5a294b26d37186dc68d7d6d8357d889a)
This commit is contained in:
Tomas Mraz 2024-10-18 13:51:37 +02:00 committed by Matt Caswell
parent 1f0cb85047
commit 36254fda37
2 changed files with 33 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
CHANGES.md
View File

@ -229,7 +229,25 @@ OpenSSL 3.4
OpenSSL 3.3 OpenSSL 3.3
----------- -----------
### Changes between 3.3.1 and 3.3.2 [xx XXX xxxx] ### Changes between 3.3.2 and 3.3.3 [xx XXX xxxx]
* Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic
curve parameters.
Use of the low-level GF(2^m) elliptic curve APIs with untrusted
explicit values for the field polynomial can lead to out-of-bounds memory
reads or writes.
Applications working with "exotic" explicit binary (GF(2^m)) curve
parameters, that make it possible to represent invalid field polynomials
with a zero constant term, via the above or similar APIs, may terminate
abruptly as a result of reading or writing outside of array bounds. Remote
code execution cannot easily be ruled out.
([CVE-2024-9143])
*Viktor Dukhovni*
### Changes between 3.3.1 and 3.3.2 [3 Sep 2024]
* Fixed possible denial of service in X.509 name checks. * Fixed possible denial of service in X.509 name checks.
@ -20888,6 +20906,7 @@ ndif
<!-- Links --> <!-- Links -->
[CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143
[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119 [CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
[CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535 [CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741 [CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741

14
NEWS.md
View File

@ -115,7 +115,18 @@ This release adds the following new features:
OpenSSL 3.3 OpenSSL 3.3
----------- -----------
### Major changes between OpenSSL 3.3.1 and OpenSSL 3.3.2 [under development] ### Major changes between OpenSSL 3.3.2 and OpenSSL 3.3.3 [under development]
OpenSSL 3.3.3 is a security patch release. The most severe CVE fixed in this
release is Low.
This release incorporates the following bug fixes and mitigations:
* Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic
curve parameters.
([CVE-2024-9143])
### Major changes between OpenSSL 3.3.1 and OpenSSL 3.3.2 [3 Sep 2024]
OpenSSL 3.3.2 is a security patch release. The most severe CVE fixed in this OpenSSL 3.3.2 is a security patch release. The most severe CVE fixed in this
release is Moderate. release is Moderate.
@ -1836,6 +1847,7 @@ OpenSSL 0.9.x
<!-- Links --> <!-- Links -->
[CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143
[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119 [CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
[CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535 [CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741 [CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741