]> git.ipfire.org Git - thirdparty/openssl.git/commitdiff
projects / thirdparty / openssl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0df4063)
changes and news entries for CVE-2023-5363
authorPauli <pauli@openssl.org>
Thu, 5 Oct 2023 23:43:46 +0000 (10:43 +1100)
committerMatt Caswell <matt@openssl.org>
Tue, 24 Oct 2023 13:35:55 +0000 (14:35 +0100)
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 3f636830e4dcfe9b6ab57bef42c0b3a1de194399)

CHANGES.md patch | blob | blame | history
NEWS.md patch | blob | blame | history

diff --git a/CHANGES.md b/CHANGES.md
index 61efa01bb6f8517c859be7c62b5157fc6ea9c74a..6d0f495dcc5eb2730ddefe6177e2371e2e48c005 100644 (file)
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -30,7 +30,11 @@ breaking changes, and mappings for the large list of deprecated functions.
 
 ### Changes between 3.0.11 and 3.0.12 [xx XXX xxxx]
 
- * none yet
+ * Fix incorrect key and IV resizing issues when calling EVP_EncryptInit_ex2(),
+   EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() with OSSL_PARAM parameters
+   that alter the key or IV length ([CVE-2023-5363]).
+
+   *Paul Dale*
 
 ### Changes between 3.0.10 and 3.0.11 [19 Sep 2023]
 
@@ -19736,6 +19740,7 @@ ndif
 
 <!-- Links -->
 
+[CVE-2023-5363]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5363
 [CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807
 [CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817
 [CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446
diff --git a/NEWS.md b/NEWS.md
index 72f78d581e12149e7cddb1832a7c50a113c5aa20..b4e57b7fd8f3c733d0fb7dd5f3eae5bee289a313 100644 (file)
--- a/NEWS.md
+++ b/NEWS.md
@@ -20,7 +20,8 @@ OpenSSL 3.0
 
 ### Major changes between OpenSSL 3.0.11 and OpenSSL 3.0.12 [under development]
 
-  * none
+  * Mitigate incorrect resize handling for symmetric cipher keys and IVs.
+    ([CVE-2023-5363])
 
 ### Major changes between OpenSSL 3.0.10 and OpenSSL 3.0.11 [19 Sep 2023]
 
@@ -1457,6 +1458,7 @@ OpenSSL 0.9.x
 
 <!-- Links -->
 
+[CVE-2023-5363]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5363
 [CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807
 [CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817
 [CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446
Mirror of https://github.com/openssl/openssl.git