Update CHANGES and NEWS

[thirdparty/openssl.git] / CHANGES

diff --git a/CHANGES b/CHANGES
index ed2f0ecff30fe06088ad995b797f04b440e41462..fb36e9eff845927cc71d4c48ff2d1e659fe06b8c 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,7 +4,17 @@
 
  Changes between 0.9.8zg and 0.9.8zh [xx XXX xxxx]
 
-  *)
+  *) X509_ATTRIBUTE memory leak
+
+     When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak
+     memory. This structure is used by the PKCS#7 and CMS routines so any
+     application which reads PKCS#7 or CMS data from untrusted sources is
+     affected. SSL/TLS is not affected.
+
+     This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using
+     libFuzzer.
+     (CVE-2015-3195)
+     [Stephen Henson]
 
  Changes between 0.9.8zf and 0.9.8zg [11 Jun 2015]