From: Eugene Syromiatnikov Date: Mon, 15 Sep 2025 23:40:35 +0000 (+0200) Subject: CHANGES.md, NEWS.md: sync 3.5 changes/news with 3.5.3 X-Git-Tag: openssl-3.6.0~29 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8d509b0326e146d8f44899e78c0cfeff732080f9;p=thirdparty%2Fopenssl.git CHANGES.md, NEWS.md: sync 3.5 changes/news with 3.5.3 There were minor discrepancies in 3.5 NEWS which are now corrected. Signed-off-by: Eugene Syromiatnikov Reviewed-by: Neil Horman Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/28586) --- diff --git a/CHANGES.md b/CHANGES.md index 677c6095a3a..b63dc48a927 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -276,6 +276,56 @@ OpenSSL 3.6 OpenSSL 3.5 ----------- +### Changes between 3.5.2 and 3.5.3 [16 Sep 2025] + + * Avoided a potential race condition introduced in 3.5.1, where + `OSSL_STORE_CTX` kept open during lookup while potentially being used + by multiple threads simultaneously, that could lead to potential crashes + when multiple concurrent TLS connections are served. + + *Matt Caswell* + + * The FIPS provider no longer performs a PCT on key import for RSA, DH, + and EC keys (that was introduced in 3.5.2), following the latest update + on that requirement in FIPS 140-3 IG 10.3.A additional comment 1. + + *Dr Paul Dale* + + * Secure memory allocation calls are no longer used for HMAC keys. + + *Dr Paul Dale* + + * `openssl req` no longer generates certificates with an empty extension list + when SKID/AKID are set to `none` during generation. + + *David Benjamin* + + * The man page date is now derived from the release date provided + in `VERSION.dat` and not the current date for the released builds. + + *Enji Cooper* + + * Hardened the provider implementation of the RSA public key "encrypt" + operation to add a missing check that the caller-indicated output buffer + size is at least as large as the byte count of the RSA modulus. The issue + was reported by Arash Ale Ebrahim from SYSPWN. + + This operation is typically invoked via `EVP_PKEY_encrypt(3)`. Callers that + in fact provide a sufficiently large buffer, but fail to correctly indicate + its size may now encounter unexpected errors. In applications that attempt + RSA public encryption into a buffer that is too small, an out-of-bounds + write is now avoided and an error is reported instead. + + *Viktor Dukhovni* + + * Added FIPS 140-3 PCT on DH key generation. + + *Nikola Pajkovsky* + + * Fixed the synthesised `OPENSSL_VERSION_NUMBER`. + + *Richard Levitte* + ### Changes between 3.5.1 and 3.5.2 [5 Aug 2025] * The FIPS provider now performs a PCT on key import for RSA, EC and ECX. diff --git a/NEWS.md b/NEWS.md index 8950da4dd6b..d3c4fd686df 100644 --- a/NEWS.md +++ b/NEWS.md @@ -58,12 +58,19 @@ changes: OpenSSL 3.5 ----------- -### Changes between 3.5.1 and 3.5.2 [5 Aug 2025] +### Major changes between OpenSSL 3.5.2 and OpenSSL 3.5.3 [16 Sep 2025] - * The FIPS provider now performs a PCT on key import for RSA, EC and ECX. - This is mandated by FIPS 140-3 IG 10.3.A additional comment 1. + * Added FIPS 140-3 PCT on DH key generation. - *Dr Paul Dale* + *Nikola Pajkovsky* + + * Fixed the synthesised `OPENSSL_VERSION_NUMBER`. + + *Richard Levitte* + +### Major changes between OpenSSL 3.5.1 and OpenSSL 3.5.2 [5 Aug 2025] + + * none ### Major changes between OpenSSL 3.5.0 and OpenSSL 3.5.1 [1 Jul 2025]