an X.509 certificate. This may result in an exception that terminates the
application program.
- [(CVE-2024-6119)]
+ ([CVE-2024-6119])
*Viktor Dukhovni*
+ * Fixed possible buffer overread in SSL_select_next_proto().
+
+ Calling the OpenSSL API function SSL_select_next_proto with an empty
+ supported client protocols buffer may cause a crash or memory contents
+ to be sent to the peer.
+
+ ([CVE-2024-5535])
+
+ *Matt Caswell*
+
### Changes between 3.3.0 and 3.3.1 [4 Jun 2024]
* Fixed potential use after free after SSL_free_buffers() is called.
<!-- Links -->
[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
+[CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
OpenSSL 3.3.2 is a security patch release. The most severe CVE fixed in this
release is Moderate.
- * Fixed possible denial of service in X.509 name checks [(CVE-2024-6119)].
+This release incorporates the following bug fixes and mitigations:
+
+ * Fixed possible denial of service in X.509 name checks
+ ([CVE-2024-6119])
+
+ * Fixed possible buffer overread in SSL_select_next_proto()
+ ([CVE-2024-5535])
### Major changes between OpenSSL 3.3.0 and OpenSSL 3.3.1 [4 Jun 2024]
<!-- Links -->
[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
+[CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
projects / thirdparty / openssl.git / commitdiff
