Update CHANGES/NEWS for new release

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>

diff --git a/CHANGES.md b/CHANGES.md
index eb6174966fe3d03fcea380caa010b14f7f35640f..a343db2d50b52ccd3267d89d2f4241b769fcc050 100644 (file)
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -114,7 +114,43 @@ breaking changes, and mappings for the large list of deprecated functions.
 
 [Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod
 
-### Changes between 3.0.1 and 3.0.2 [xx XXX xxxx]
+### Changes between 3.0.1 and 3.0.2 [15 mar 2022]
+
+ * Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever
+   for non-prime moduli.
+
+   Internally this function is used when parsing certificates that contain
+   elliptic curve public keys in compressed form or explicit elliptic curve
+   parameters with a base point encoded in compressed form.
+
+   It is possible to trigger the infinite loop by crafting a certificate that
+   has invalid explicit curve parameters.
+
+   Since certificate parsing happens prior to verification of the certificate
+   signature, any process that parses an externally supplied certificate may thus
+   be subject to a denial of service attack. The infinite loop can also be
+   reached when parsing crafted private keys as they can contain explicit
+   elliptic curve parameters.
+
+   Thus vulnerable situations include:
+
+    - TLS clients consuming server certificates
+    - TLS servers consuming client certificates
+    - Hosting providers taking certificates or private keys from customers
+    - Certificate authorities parsing certification requests from subscribers
+    - Anything else which parses ASN.1 elliptic curve parameters
+
+   Also any other applications that use the BN_mod_sqrt() where the attacker
+   can control the parameter values are vulnerable to this DoS issue.
+   ([CVE-2022-0778])
+
+   *Tomáš Mráz*
+
+ * Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489)
+   to the list of ciphersuites providing Perfect Forward Secrecy as
+   required by SECLEVEL >= 3.
+
+   *Dmitry Belyavskiy, Nicola Tuveri*
 
  * Made the AES constant time code for no-asm configurations
    optional due to the resulting 95% performance degradation.
@@ -123,6 +159,11 @@ breaking changes, and mappings for the large list of deprecated functions.
 
    *Paul Dale*
 
+ * Fixed PEM_write_bio_PKCS8PrivateKey() to make it possible to use empty
+   passphrase strings.
+
+   *Darshan Sen*
+
  * The negative return value handling of the certificate verification callback
    was reverted. The replacement is to set the verification retry state with
    the SSL_set_retry_verify() function.

diff --git a/NEWS.md b/NEWS.md
index 9129f1c9f49271426caa47e0fcbd61b4dff615cf..99e8c715d36a7475cd93f5629aeccedbb0d14dd7 100644 (file)
--- a/NEWS.md
+++ b/NEWS.md
@@ -29,6 +29,11 @@ OpenSSL 3.1
 OpenSSL 3.0
 -----------
 
+### Major changes between OpenSSL 3.0.1 and OpenSSL 3.0.2
+
+  * Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever
+    for non-prime moduli ([CVE-2022-0778])
+
 ### Major changes between OpenSSL 3.0.0 and OpenSSL 3.0.1
 
   * Fixed invalid handling of X509_verify_cert() internal errors in libssl