zzy/openssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Updated CHANGES and NEWS for CVE-2024-6119 fix

Browse Source 
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(cherry picked from commit cf384d35aa7142cc3b5de19f64d3972e77d3ff74)
This commit is contained in:
Viktor Dukhovni 2024-07-10 19:50:57 +10:00 committed by Tomas Mraz
parent 0890cd13d4
commit ca979e854b
2 changed files with 25 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
CHANGES.md
View File

@ -197,7 +197,21 @@ OpenSSL 3.4
OpenSSL 3.3 OpenSSL 3.3
----------- -----------
### Changes between 3.3.0 and 3.3.1 [xx XXX xxxx] ### Changes between 3.3.1 and 3.3.2 [xx XXX xxxx]
* Fixed possible denial of service in X.509 name checks.
Applications performing certificate name checks (e.g., TLS clients checking
server certificates) may attempt to read an invalid memory address when
comparing the expected name with an `otherName` subject alternative name of
an X.509 certificate. This may result in an exception that terminates the
application program.
[(CVE-2024-6119)]
*Viktor Dukhovni*
### Changes between 3.3.0 and 3.3.1 [4 Jun 2024]
* Fixed potential use after free after SSL_free_buffers() is called. * Fixed potential use after free after SSL_free_buffers() is called.
@ -20832,6 +20846,7 @@ ndif
<!-- Links --> <!-- Links -->
[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741 [CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603 [CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511 [CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511

10
NEWS.md
View File

@ -88,7 +88,14 @@ This release adds the following new features:
OpenSSL 3.3 OpenSSL 3.3
----------- -----------
### Major changes between OpenSSL 3.3.0 and OpenSSL 3.3.1 [under development] ### Major changes between OpenSSL 3.3.1 and OpenSSL 3.3.2 [under development]
OpenSSL 3.3.2 is a security patch release. The most severe CVE fixed in this
release is Moderate.
* Fixed possible denial of service in X.509 name checks [(CVE-2024-6119)].
### Major changes between OpenSSL 3.3.0 and OpenSSL 3.3.1 [4 Jun 2024]
OpenSSL 3.3.1 is a security patch release. The most severe CVE fixed in this OpenSSL 3.3.1 is a security patch release. The most severe CVE fixed in this
release is Low. release is Low.
@ -1796,6 +1803,7 @@ OpenSSL 0.9.x
<!-- Links --> <!-- Links -->
[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741 [CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603 [CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511 [CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511