CHANGES.md, NEWS.md: sync 3.5 changes/news with 3.5.3

There were minor discrepancies in 3.5 NEWS which are now corrected.

Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28586)

diff --git a/CHANGES.md b/CHANGES.md
index 677c6095a3ae0ffdaf1a0e3884ba450e7b48b0d5..b63dc48a92750a6d533ea89d76639cc2606b8a21 100644 (file)
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -276,6 +276,56 @@ OpenSSL 3.6
 OpenSSL 3.5
 -----------
 
+### Changes between 3.5.2 and 3.5.3 [16 Sep 2025]
+
+ * Avoided a potential race condition introduced in 3.5.1, where
+   `OSSL_STORE_CTX` kept open during lookup while potentially being used
+   by multiple threads simultaneously, that could lead to potential crashes
+   when multiple concurrent TLS connections are served.
+
+   *Matt Caswell*
+
+ * The FIPS provider no longer performs a PCT on key import for RSA, DH,
+   and EC keys (that was introduced in 3.5.2), following the latest update
+   on that requirement in FIPS 140-3 IG 10.3.A additional comment 1.
+
+   *Dr Paul Dale*
+
+ * Secure memory allocation calls are no longer used for HMAC keys.
+
+   *Dr Paul Dale*
+
+ * `openssl req` no longer generates certificates with an empty extension list
+   when SKID/AKID are set to `none` during generation.
+
+   *David Benjamin*
+
+ * The man page date is now derived from the release date provided
+   in `VERSION.dat` and not the current date for the released builds.
+
+   *Enji Cooper*
+
+ * Hardened the provider implementation of the RSA public key "encrypt"
+   operation to add a missing check that the caller-indicated output buffer
+   size is at least as large as the byte count of the RSA modulus.  The issue
+   was reported by Arash Ale Ebrahim from SYSPWN.
+
+   This operation is typically invoked via `EVP_PKEY_encrypt(3)`.  Callers that
+   in fact provide a sufficiently large buffer, but fail to correctly indicate
+   its size may now encounter unexpected errors.  In applications that attempt
+   RSA public encryption into a buffer that is too small, an out-of-bounds
+   write is now avoided and an error is reported instead.
+
+   *Viktor Dukhovni*
+
+ * Added FIPS 140-3 PCT on DH key generation.
+
+   *Nikola Pajkovsky*
+
+ * Fixed the synthesised `OPENSSL_VERSION_NUMBER`.
+
+   *Richard Levitte*
+
 ### Changes between 3.5.1 and 3.5.2 [5 Aug 2025]
 
  * The FIPS provider now performs a PCT on key import for RSA, EC and ECX.

diff --git a/NEWS.md b/NEWS.md
index 8950da4dd6b92ee3d75d6563badb568a561aac21..d3c4fd686df1f8d367738a83e102849893c84da6 100644 (file)
--- a/NEWS.md
+++ b/NEWS.md
@@ -58,12 +58,19 @@ changes:
 OpenSSL 3.5
 -----------
 
-### Changes between 3.5.1 and 3.5.2 [5 Aug 2025]
+### Major changes between OpenSSL 3.5.2 and OpenSSL 3.5.3 [16 Sep 2025]
 
- * The FIPS provider now performs a PCT on key import for RSA, EC and ECX.
-   This is mandated by FIPS 140-3 IG 10.3.A additional comment 1.
+  * Added FIPS 140-3 PCT on DH key generation.
 
-   *Dr Paul Dale*
+    *Nikola Pajkovsky*
+
+  * Fixed the synthesised `OPENSSL_VERSION_NUMBER`.
+
+    *Richard Levitte*
+
+### Major changes between OpenSSL 3.5.1 and OpenSSL 3.5.2 [5 Aug 2025]
+
+  * none
 
 ### Major changes between OpenSSL 3.5.0 and OpenSSL 3.5.1 [1 Jul 2025]