CHANGES.md / NEWS.md fixups ahead of release

Release: yes

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27927)

diff --git a/CHANGES.md b/CHANGES.md
index 441a143a885b4146aa710d2d03cf63feb0b1698d..44503782db63a04c740ec0927cc38b5e8f81ce5b 100644 (file)
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -112,6 +112,18 @@ OpenSSL 3.5
 
 ### Changes between 3.5.0 and 3.5.1 [xx XXX xxxx]
 
+ * Fix x509 application adds trusted use instead of rejected use.
+
+   Issue summary: Use of -addreject option with the openssl x509 application adds
+   a trusted use instead of a rejected use for a certificate.
+
+   Impact summary: If a user intends to make a trusted certificate rejected for
+   a particular use it will be instead marked as trusted for that use.
+
+   ([CVE-2025-4575])
+
+   *Tomas Mraz*
+
  * Aligned the behaviour of TLS and DTLS in the event of a no_renegotiation
    alert being received. Older versions of OpenSSL failed with DTLS if a
    no_renegotiation alert was received. All versions of OpenSSL do this for TLS.
@@ -21297,6 +21309,7 @@ ndif
 
 <!-- Links -->
 
+[CVE-2025-4575]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-4575
 [CVE-2024-13176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176
 [CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143
 [CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119

diff --git a/NEWS.md b/NEWS.md
index 78b872efbd46c6baffe15f13c22d1679262387a3..38bd72899945476279c0e38a732bfcebb014b1df 100644 (file)
--- a/NEWS.md
+++ b/NEWS.md
@@ -36,6 +36,16 @@ changes:
   * Added an `openssl configutl` utility for processing the openssl
     configuration file and dumping the equal configuration file.
 
+### Major changes between OpenSSL 3.5.0 and OpenSSL 3.5.1 [under development]
+
+OpenSSL 3.5.1 is a security patch release. The most severe CVE fixed in this
+release is Low.
+
+This release incorporates the following bug fixes and mitigations:
+
+  * Fix x509 application adds trusted use instead of rejected use.
+   ([CVE-2025-4575])
+
 ### Major changes between OpenSSL 3.4 and OpenSSL 3.5 [under development]
 
 OpenSSL 3.5.0 is a feature release adding significant new functionality to
@@ -1902,7 +1912,7 @@ OpenSSL 0.9.x
   * Support for various new platforms
 
 <!-- Links -->
-
+[CVE-2025-4575]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-4575
 [CVE-2024-13176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176
 [CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143
 [CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119