From 8e91919bcffa5ac1dee01f4dbd8240ed99d483ca Mon Sep 17 00:00:00 2001
From: Eugene Syromiatnikov <esyr@openssl.org>
Date: Tue, 30 Sep 2025 11:51:10 +0200
Subject: [PATCH] CHANGES.md: update for 3.3.5

3.3.5 CHANGES.md includes the following:
 * https://github.com/openssl/openssl/pull/28198
 * https://github.com/openssl/openssl/pull/28398
 * https://github.com/openssl/openssl/pull/28411
 * https://github.com/openssl/openssl/pull/28449

Release: Yes
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
---
 CHANGES.md | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/CHANGES.md b/CHANGES.md
index 631d5b3809f..2f051ea52cc 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -75,6 +75,27 @@ OpenSSL 3.3
 
    *Stanislav Fort*
 
+ * Avoided a potential race condition introduced in 3.3.4, where
+   `OSSL_STORE_CTX` kept open during lookup while potentially being used
+   by multiple threads simultaneously, that could lead to potential crashes
+   when multiple concurrent TLS connections are served.
+
+   *Matt Caswell*
+
+ * Secure memory allocation calls are no longer used for HMAC keys.
+
+   *Dr Paul Dale*
+
+ * `openssl req` no longer generates certificates with an empty extension list
+   when SKID/AKID are set to `none` during generation.
+
+   *David Benjamin*
+
+ * The man page date is now derived from the release date provided
+   in `VERSION.dat` and not the current date for the released builds.
+
+   *Enji Cooper*
+
  * Hardened the provider implementation of the RSA public key "encrypt"
    operation to add a missing check that the caller-indicated output buffer
    size is at least as large as the byte count of the RSA modulus.  The issue
-- 
2.47.3