Updated CHANGES and NEWS for CVE-2023-0465

Also updated the entries for CVE-2023-0464

Related-to: CVE-2023-0465
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20588)

diff --git a/CHANGES b/CHANGES
index 17caf6775bfed67b33d1fe491e2178e723363292..efccf7838e6569a69ee4d38245df13a3c7fcdad8 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -9,12 +9,19 @@
 
  Changes between 1.1.1t and 1.1.1u [xx XXX xxxx]
 
+  *) Fixed an issue where invalid certificate policies in leaf certificates are
+     silently ignored by OpenSSL and other certificate policy checks are skipped
+     for that certificate. A malicious CA could use this to deliberately assert
+     invalid certificate policies in order to circumvent policy checking on the
+     certificate altogether. (CVE-2023-0465)
+     [Matt Caswell]
+
   *) Limited the number of nodes created in a policy tree to mitigate
      against CVE-2023-0464.  The default limit is set to 1000 nodes, which
      should be sufficient for most installations.  If required, the limit
      can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build
      time define to a desired maximum number of nodes or zero to allow
-     unlimited growth.
+     unlimited growth. (CVE-2023-0464)
      [Paul Dale]
 
  Changes between 1.1.1s and 1.1.1t [7 Feb 2023]

diff --git a/NEWS b/NEWS
index 8a18516d8609c33e863ec497acc72bda0ac58053..36a9bb6890bfd24a5a0df1fc464134001c5af840 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -7,7 +7,9 @@
 
   Major changes between OpenSSL 1.1.1t and OpenSSL 1.1.1u [under development]
 
-      o
+      o Fixed handling of invalid certificate policies in leaf certificates
+        (CVE-2023-0465)
+      o Limited the number of nodes created in a policy tree ([CVE-2023-0464])
 
   Major changes between OpenSSL 1.1.1s and OpenSSL 1.1.1t [7 Feb 2023]