### Changes between 3.3.2 and 3.3.3 [xx XXX xxxx]
- * none yet
+ * Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic
+ curve parameters.
+
+ Use of the low-level GF(2^m) elliptic curve APIs with untrusted
+ explicit values for the field polynomial can lead to out-of-bounds memory
+ reads or writes.
+ Applications working with "exotic" explicit binary (GF(2^m)) curve
+ parameters, that make it possible to represent invalid field polynomials
+ with a zero constant term, via the above or similar APIs, may terminate
+ abruptly as a result of reading or writing outside of array bounds. Remote
+ code execution cannot easily be ruled out.
+
+ ([CVE-2024-9143])
+
+ *Viktor Dukhovni*
### Changes between 3.3.1 and 3.3.2 [3 Sep 2024]
<!-- Links -->
+[CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143
[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
[CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
### Major changes between OpenSSL 3.3.2 and OpenSSL 3.3.3 [under development]
- * none
+OpenSSL 3.3.3 is a security patch release. The most severe CVE fixed in this
+release is Low.
+
+This release incorporates the following bug fixes and mitigations:
+
+ * Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic
+ curve parameters.
+ ([CVE-2024-9143])
### Major changes between OpenSSL 3.3.1 and OpenSSL 3.3.2 [3 Sep 2024]
<!-- Links -->
+[CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143
[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
[CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
projects / thirdparty / openssl.git / commitdiff
