Update CHANGES.md and NEWS.md for the upcoming release

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24549)

(cherry picked from commit 6152b08631568551f155f9d8219298f55aef5d94)

diff --git a/CHANGES.md b/CHANGES.md
index 2557ae113717fe5cec4b7d79cb3430f64ddacf23..49dbe585026305d795030de4ef4223d1496d67da 100644 (file)
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -100,6 +100,29 @@ OpenSSL 3.3
 
 ### Changes between 3.3.0 and 3.3.1 [xx XXX xxxx]
 
+ * Fixed potential use after free after SSL_free_buffers() is called.
+
+   The SSL_free_buffers function is used to free the internal OpenSSL
+   buffer used when processing an incoming record from the network.
+   The call is only expected to succeed if the buffer is not currently
+   in use. However, two scenarios have been identified where the buffer
+   is freed even when still in use.
+
+   The first scenario occurs where a record header has been received
+   from the network and processed by OpenSSL, but the full record body
+   has not yet arrived. In this case calling SSL_free_buffers will succeed
+   even though a record has only been partially processed and the buffer
+   is still in use.
+
+   The second scenario occurs where a full record containing application
+   data has been received and processed by OpenSSL but the application has
+   only read part of this data. Again a call to SSL_free_buffers will
+   succeed even though the buffer is still in use.
+
+   ([CVE-2024-4741])
+
+   *Matt Caswell*
+
  * Fixed an issue where checking excessively long DSA keys or parameters may
    be very slow.
 
@@ -20702,6 +20725,8 @@ ndif
 
 <!-- Links -->
 
+[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
+[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
 [CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
 [CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
 [CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237

diff --git a/NEWS.md b/NEWS.md
index 3196a06254184efa9fcaadef14f65ade60df12a3..bc8b40ee7353c6a1a2f6ab39f9b1176804ab5ef6 100644 (file)
--- a/NEWS.md
+++ b/NEWS.md
@@ -33,7 +33,21 @@ This release is in development.
 OpenSSL 3.3
 -----------
 
-### Major changes between OpenSSL 3.2 and OpenSSL 3.3 [under development]
+### Major changes between OpenSSL 3.3.0 and OpenSSL 3.3.1 [under development]
+
+OpenSSL 3.3.1 is a security patch release. The most severe CVE fixed in this
+release is Low.
+
+This release incorporates the following bug fixes and mitigations:
+
+  * Fixed potential use after free after SSL_free_buffers() is called
+    ([CVE-2024-4741])
+
+  * Fixed an issue where checking excessively long DSA keys or parameters may
+    be very slow
+    ([CVE-2024-4603])
+
+### Major changes between OpenSSL 3.2 and OpenSSL 3.3.0 [9 Apr 2024]
 
 OpenSSL 3.3.0 is a feature release adding significant new functionality to
 OpenSSL.
@@ -171,8 +185,10 @@ This release incorporates the following bug fixes and mitigations:
 
   * Fixed PKCS12 Decoding crashes
     ([CVE-2024-0727])
+
   * Fixed excessive time spent checking invalid RSA public keys
     ([CVE-2023-6237])
+
   * Fixed POLY1305 MAC implementation corrupting vector registers on PowerPC
     CPUs which support PowerISA 2.07
     ([CVE-2023-6129])
@@ -1725,6 +1741,8 @@ OpenSSL 0.9.x
 
 <!-- Links -->
 
+[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
+[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
 [CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
 [CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
 [CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237