Update CHANGES.md and NEWS.md for the upcoming release

t8m · Jun 3, 2024 · 32e00cb · 32e00cb
1 parent f7833b0
commit 32e00cb
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 1 deletion.
diff --git a/CHANGES.md b/CHANGES.md
@@ -28,6 +28,29 @@ OpenSSL 3.3
 
 ### Changes between 3.3.0 and 3.3.1 [xx XXX xxxx]
 
+ * Fixed potential use after free after SSL_free_buffers() is called.
+
+ The SSL_free_buffers function is used to free the internal OpenSSL
+ buffer used when processing an incoming record from the network.
+ The call is only expected to succeed if the buffer is not currently
+ in use. However, two scenarios have been identified where the buffer
+ is freed even when still in use.
+
+ The first scenario occurs where a record header has been received
+ from the network and processed by OpenSSL, but the full record body
+ has not yet arrived. In this case calling SSL_free_buffers will succeed
+ even though a record has only been partially processed and the buffer
+ is still in use.
+
+ The second scenario occurs where a full record containing application
+ data has been received and processed by OpenSSL but the application has
+ only read part of this data. Again a call to SSL_free_buffers will
+ succeed even though the buffer is still in use.
+
+ ([CVE-2024-4741])
+
+ *Matt Caswell*
+
  * Fixed an issue where checking excessively long DSA keys or parameters may
  be very slow.
 
@@ -20630,6 +20653,7 @@ ndif
 
 <!-- Links -->
 
+[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
 [CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
 [CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
 [CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237

diff --git a/NEWS.md b/NEWS.md
@@ -23,7 +23,17 @@ OpenSSL 3.3
 
 ### Major changes between OpenSSL 3.3.0 and OpenSSL 3.3.1 [under development]
 
- * none
+OpenSSL 3.3.1 is a security patch release. The most severe CVE fixed in this
+release is Low.
+
+This release incorporates the following bug fixes and mitigations:
+
+ * Fixed potential use after free after SSL_free_buffers() is called
+ ([CVE-2024-4741])
+
+ * Fixed an issue where checking excessively long DSA keys or parameters may
+ be very slow
+ ([CVE-2024-4603])
 
 ### Major changes between OpenSSL 3.2 and OpenSSL 3.3.0 [9 Apr 2024]
 
@@ -163,8 +173,10 @@ This release incorporates the following bug fixes and mitigations:
 
  * Fixed PKCS12 Decoding crashes
  ([CVE-2024-0727])
+
  * Fixed excessive time spent checking invalid RSA public keys
  ([CVE-2023-6237])
+
  * Fixed POLY1305 MAC implementation corrupting vector registers on PowerPC
  CPUs which support PowerISA 2.07
  ([CVE-2023-6129])
@@ -1717,6 +1729,8 @@ OpenSSL 0.9.x
 
 <!-- Links -->
 
+[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
+[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
 [CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
 [CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
 [CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237