Update CHANGES.md and NEWS.md for the upcoming release

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24550)

(cherry picked from commit 3fa9df5f1d0f12d1d488aaa0fc46bb533d3870f0)

diff --git a/CHANGES.md b/CHANGES.md
index 16913a049b2df7e2d93c89ac3d03b1d96852da53..b8590cd173d51c51048a9c8c251c7c2155e74bcf 100644 (file)
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -30,6 +30,29 @@ breaking changes, and mappings for the large list of deprecated functions.
 
 ### Changes between 3.0.13 and 3.0.14 [xx XXX xxxx]
 
+ * Fixed potential use after free after SSL_free_buffers() is called.
+
+   The SSL_free_buffers function is used to free the internal OpenSSL
+   buffer used when processing an incoming record from the network.
+   The call is only expected to succeed if the buffer is not currently
+   in use. However, two scenarios have been identified where the buffer
+   is freed even when still in use.
+
+   The first scenario occurs where a record header has been received
+   from the network and processed by OpenSSL, but the full record body
+   has not yet arrived. In this case calling SSL_free_buffers will succeed
+   even though a record has only been partially processed and the buffer
+   is still in use.
+
+   The second scenario occurs where a full record containing application
+   data has been received and processed by OpenSSL but the application has
+   only read part of this data. Again a call to SSL_free_buffers will
+   succeed even though the buffer is still in use.
+
+   ([CVE-2024-4741])
+
+   *Matt Caswell*
+
  * Fixed an issue where checking excessively long DSA keys or parameters may
    be very slow.
 
@@ -19867,6 +19890,8 @@ ndif
 
 <!-- Links -->
 
+[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
+[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
 [CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
 [CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
 [CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237

diff --git a/NEWS.md b/NEWS.md
index a06d9694c14a57001864dfd5f4929a04b0a83948..7816e84f56be5426a2c140f7be5d81a5dbb81585 100644 (file)
--- a/NEWS.md
+++ b/NEWS.md
@@ -20,6 +20,13 @@ OpenSSL 3.0
 
 ### Major changes between OpenSSL 3.0.13 and OpenSSL 3.0.14 [under development]
 
+  * Fixed potential use after free after SSL_free_buffers() is called
+    ([CVE-2024-4741])
+
+  * Fixed an issue where checking excessively long DSA keys or parameters may
+    be very slow
+    ([CVE-2024-4603])
+
   * Fixed unbounded memory growth with session handling in TLSv1.3
     ([CVE-2024-2511])
 
@@ -1475,6 +1482,8 @@ OpenSSL 0.9.x
 
 <!-- Links -->
 
+[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
+[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
 [CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
 [CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
 [CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237