From: Pauli Date: Thu, 5 Oct 2023 23:43:46 +0000 (+1100) Subject: changes and news entries for CVE-2023-5363 X-Git-Tag: openssl-3.1.4~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3f636830e4dcfe9b6ab57bef42c0b3a1de194399;p=thirdparty%2Fopenssl.git changes and news entries for CVE-2023-5363 Reviewed-by: Hugo Landau Reviewed-by: Matt Caswell --- diff --git a/CHANGES.md b/CHANGES.md index edb2ce987df..6b1176b927b 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -24,7 +24,11 @@ OpenSSL 3.1 ### Changes between 3.1.3 and 3.1.4 [xx XXX xxxx] - * none yet + * Fix incorrect key and IV resizing issues when calling EVP_EncryptInit_ex2(), + EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() with OSSL_PARAM parameters + that alter the key or IV length ([CVE-2023-5363]). + + *Paul Dale* ### Changes between 3.1.2 and 3.1.3 [19 Sep 2023] @@ -19860,6 +19864,7 @@ ndif +[CVE-2023-5363]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5363 [CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807 [CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817 [CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446 diff --git a/NEWS.md b/NEWS.md index 0e14aa88ea9..d1c7bca5d04 100644 --- a/NEWS.md +++ b/NEWS.md @@ -21,7 +21,8 @@ OpenSSL 3.1 ### Major changes between OpenSSL 3.1.3 and OpenSSL 3.1.4 [under development] - * none + * Mitigate incorrect resize handling for symmetric cipher keys and IVs. + ([CVE-2023-5363]) ### Major changes between OpenSSL 3.1.2 and OpenSSL 3.1.3 [19 Sep 2023] @@ -1473,6 +1474,7 @@ OpenSSL 0.9.x +[CVE-2023-5363]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5363 [CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807 [CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817 [CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446