diff options
Diffstat (limited to 'CHANGES.md')
| -rw-r--r-- | CHANGES.md | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/CHANGES.md b/CHANGES.md index 19e0fd6e25a5..e41181b5bbb0 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -28,6 +28,30 @@ breaking changes, and mappings for the large list of deprecated functions. [Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod +### Changes between 3.0.14 and 3.0.15 [3 Sep 2024] + + * Fixed possible denial of service in X.509 name checks. + + Applications performing certificate name checks (e.g., TLS clients checking + server certificates) may attempt to read an invalid memory address when + comparing the expected name with an `otherName` subject alternative name of + an X.509 certificate. This may result in an exception that terminates the + application program. + + ([CVE-2024-6119]) + + *Viktor Dukhovni* + + * Fixed possible buffer overread in SSL_select_next_proto(). + + Calling the OpenSSL API function SSL_select_next_proto with an empty + supported client protocols buffer may cause a crash or memory contents + to be sent to the peer. + + ([CVE-2024-5535]) + + *Matt Caswell* + ### Changes between 3.0.13 and 3.0.14 [4 Jun 2024] * Fixed potential use after free after SSL_free_buffers() is called. @@ -70,6 +94,14 @@ breaking changes, and mappings for the large list of deprecated functions. *Tomáš Mráz* + * Improved EC/DSA nonce generation routines to avoid bias and timing + side channel leaks. + + Thanks to Florian Sieck from Universität zu Lübeck and George Pantelakis + and Hubert Kario from Red Hat for reporting the issues. + + *Tomáš Mráz and Paul Dale* + * Fixed an issue where some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions. An attacker may exploit certain server configurations to trigger unbounded memory growth that @@ -19890,6 +19922,8 @@ ndif <!-- Links --> +[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119 +[CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535 [CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741 [CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603 [CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511 |