From: Tomas Mraz <tomas@openssl.org>
Date: Tue, 3 Sep 2024 10:24:58 +0000 (+0200)
Subject: Add CVE-2024-5535 to CHANGES and NEWS
X-Git-Tag: openssl-3.0.15~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2d25b80dad9dce7c7819a0af169ba3530f132130;p=thirdparty%2Fopenssl.git

Add CVE-2024-5535 to CHANGES and NEWS

Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes
(cherry picked from commit 0c3d66a46eda9353f80e1846642b9090a8eac999)
---

diff --git a/CHANGES.md b/CHANGES.md
index 709a7193f24..86efb6f3fa7 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -38,10 +38,20 @@ breaking changes, and mappings for the large list of deprecated functions.
    an X.509 certificate. This may result in an exception that terminates the
    application program.
 
-   [(CVE-2024-6119)]
+   ([CVE-2024-6119])
 
    *Viktor Dukhovni*
 
+ * Fixed possible buffer overread in SSL_select_next_proto().
+
+   Calling the OpenSSL API function SSL_select_next_proto with an empty
+   supported client protocols buffer may cause a crash or memory contents
+   to be sent to the peer.
+
+   ([CVE-2024-5535])
+
+   *Matt Caswell*
+
 ### Changes between 3.0.13 and 3.0.14 [4 Jun 2024]
 
  * Fixed potential use after free after SSL_free_buffers() is called.
@@ -19913,6 +19923,7 @@ ndif
 <!-- Links -->
 
 [CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
+[CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
 [CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
 [CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
 [CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
diff --git a/NEWS.md b/NEWS.md
index b139f828b67..e10b6f22a4d 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -20,10 +20,16 @@ OpenSSL 3.0
 
 ### Major changes between OpenSSL 3.0.14 and OpenSSL 3.0.15 [under development]
 
-OpenSSL 3.3.2 is a security patch release. The most severe CVE fixed in this
+OpenSSL 3.0.15 is a security patch release. The most severe CVE fixed in this
 release is Moderate.
 
-  * Fixed possible denial of service in X.509 name checks [(CVE-2024-6119)].
+This release incorporates the following bug fixes and mitigations:
+
+  * Fixed possible denial of service in X.509 name checks
+    ([CVE-2024-6119])
+
+  * Fixed possible buffer overread in SSL_select_next_proto()
+    ([CVE-2024-5535])
 
 ### Major changes between OpenSSL 3.0.13 and OpenSSL 3.0.14 [4 Jun 2024]
 
@@ -1490,6 +1496,7 @@ OpenSSL 0.9.x
 <!-- Links -->
 
 [CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
+[CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
 [CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
 [CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
 [CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511