diff options
| -rw-r--r-- | CHANGES.md | 17 | ||||
| -rw-r--r-- | NEWS.md | 10 |
2 files changed, 25 insertions, 2 deletions
diff --git a/CHANGES.md b/CHANGES.md index db01de1b35..da1a4ba63b 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -197,7 +197,21 @@ OpenSSL 3.4 OpenSSL 3.3 ----------- -### Changes between 3.3.0 and 3.3.1 [xx XXX xxxx] +### Changes between 3.3.1 and 3.3.2 [xx XXX xxxx] + + * Fixed possible denial of service in X.509 name checks. + + Applications performing certificate name checks (e.g., TLS clients checking + server certificates) may attempt to read an invalid memory address when + comparing the expected name with an `otherName` subject alternative name of + an X.509 certificate. This may result in an exception that terminates the + application program. + + [(CVE-2024-6119)] + + *Viktor Dukhovni* + +### Changes between 3.3.0 and 3.3.1 [4 Jun 2024] * Fixed potential use after free after SSL_free_buffers() is called. @@ -20832,6 +20846,7 @@ ndif <!-- Links --> +[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119 [CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741 [CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603 [CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511 @@ -88,7 +88,14 @@ This release adds the following new features: OpenSSL 3.3 ----------- -### Major changes between OpenSSL 3.3.0 and OpenSSL 3.3.1 [under development] +### Major changes between OpenSSL 3.3.1 and OpenSSL 3.3.2 [under development] + +OpenSSL 3.3.2 is a security patch release. The most severe CVE fixed in this +release is Moderate. + + * Fixed possible denial of service in X.509 name checks [(CVE-2024-6119)]. + +### Major changes between OpenSSL 3.3.0 and OpenSSL 3.3.1 [4 Jun 2024] OpenSSL 3.3.1 is a security patch release. The most severe CVE fixed in this release is Low. @@ -1796,6 +1803,7 @@ OpenSSL 0.9.x <!-- Links --> +[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119 [CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741 [CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603 [CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511 |