changes: note about policy tree size limits and circumvention

author Pauli <pauli@openssl.org>

Wed, 15 Mar 2023 07:43:11 +0000 (18:43 +1100)

committer Pauli <pauli@openssl.org>

Wed, 22 Mar 2023 00:25:50 +0000 (11:25 +1100)
author Pauli <pauli@openssl.org>
Wed, 15 Mar 2023 07:43:11 +0000 (18:43 +1100)
committer Pauli <pauli@openssl.org>
Wed, 22 Mar 2023 00:25:50 +0000 (11:25 +1100)
diff --git a/CHANGES.md b/CHANGES.md

index 860f91d5f8ddb3d746cee0a8c2fdb194489cdb68..ed677aa8151191abdfc248c474cbd8f4880ac280 100644 (file)
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -240,7 +240,18 @@ OpenSSL 3.2
  OpenSSL 3.1
  -----------
  
-### Changes between 3.0 and 3.1.0 [xx XXX xxxx]
+### Changes between 3.1.0 and 3.1.1 [xx XXX xxxx]
+
+ * Limited the number of nodes created in a policy tree to mitigate
+   against CVE-2023-0464.  The default limit is set to 1000 nodes, which
+   should be sufficient for most installations.  If required, the limit
+   can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build
+   time define to a desired maximum number of nodes or zero to allow
+   unlimited growth.
+
+   *Paul Dale*
+
+### Changes between 3.0 and 3.1.0 [14 Mar 2023]
  
   * Add FIPS provider configuration option to enforce the
     Extended Master Secret (EMS) check during the TLS1_PRF KDF.
author	Pauli <pauli@openssl.org>
	Wed, 15 Mar 2023 07:43:11 +0000 (18:43 +1100)
committer	Pauli <pauli@openssl.org>
	Wed, 22 Mar 2023 00:25:50 +0000 (11:25 +1100)