Updated CHANGES and NEWS for CVE-2024-6119 fix

Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (cherry picked from commit cf384d35aa7142cc3b5de19f64d3972e77d3ff74)
author: Viktor Dukhovni <viktor@openssl.org> 2024-07-10 11:50:57 +0200
committer: Tomas Mraz <tomas@openssl.org> 2024-09-03 21:04:03 +0200
commit: ca979e854b2ac847c3abdf10a6c61b569611b6ae (patch)
tree: eaa3704f4bbc5a0ca4838b98642fa7764a656d0f
parent: Avoid type errors in EAI-related name check logic. (diff)
download: openssl-ca979e854b2ac847c3abdf10a6c61b569611b6ae.tar.xz
openssl-ca979e854b2ac847c3abdf10a6c61b569611b6ae.zip
2 files changed, 25 insertions, 2 deletions
diff --git a/CHANGES.md b/CHANGES.md
index db01de1b35..da1a4ba63b 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -197,7 +197,21 @@ OpenSSL 3.4
 OpenSSL 3.3
 -----------
 
-### Changes between 3.3.0 and 3.3.1 [xx XXX xxxx]
+### Changes between 3.3.1 and 3.3.2 [xx XXX xxxx]
+
+ * Fixed possible denial of service in X.509 name checks.
+
+   Applications performing certificate name checks (e.g., TLS clients checking
+   server certificates) may attempt to read an invalid memory address when
+   comparing the expected name with an `otherName` subject alternative name of
+   an X.509 certificate. This may result in an exception that terminates the
+   application program.
+
+   [(CVE-2024-6119)]
+
+   *Viktor Dukhovni*
+
+### Changes between 3.3.0 and 3.3.1 [4 Jun 2024]
 
  * Fixed potential use after free after SSL_free_buffers() is called.
 
@@ -20832,6 +20846,7 @@ ndif
 
 <!-- Links -->
 
+[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
 [CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
 [CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
 [CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
diff --git a/NEWS.md b/NEWS.md
index d8ed71dbe5..7130364678 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -88,7 +88,14 @@ This release adds the following new features:
 OpenSSL 3.3
 -----------
 
-### Major changes between OpenSSL 3.3.0 and OpenSSL 3.3.1 [under development]
+### Major changes between OpenSSL 3.3.1 and OpenSSL 3.3.2 [under development]
+
+OpenSSL 3.3.2 is a security patch release. The most severe CVE fixed in this
+release is Moderate.
+
+  * Fixed possible denial of service in X.509 name checks [(CVE-2024-6119)].
+
+### Major changes between OpenSSL 3.3.0 and OpenSSL 3.3.1 [4 Jun 2024]
 
 OpenSSL 3.3.1 is a security patch release. The most severe CVE fixed in this
 release is Low.
@@ -1796,6 +1803,7 @@ OpenSSL 0.9.x
 
 <!-- Links -->
 
+[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
 [CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
 [CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
 [CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
author	Viktor Dukhovni <viktor@openssl.org>	2024-07-10 11:50:57 +0200
committer	Tomas Mraz <tomas@openssl.org>	2024-09-03 21:04:03 +0200
commit	ca979e854b2ac847c3abdf10a6c61b569611b6ae (patch)
tree	eaa3704f4bbc5a0ca4838b98642fa7764a656d0f
parent	Avoid type errors in EAI-related name check logic. (diff)
download	openssl-ca979e854b2ac847c3abdf10a6c61b569611b6ae.tar.xz openssl-ca979e854b2ac847c3abdf10a6c61b569611b6ae.zip