From: Neil Horman <nhorman@openssl.org>
Date: Tue, 1 Jul 2025 11:21:56 +0000 (-0400)
Subject: CHANGES.md / NEWS.md fixups ahead of release
X-Git-Tag: openssl-3.5.1~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7dbac9d4c4f511187fa0c79edd83b05c3de0977e;p=thirdparty%2Fopenssl.git

CHANGES.md / NEWS.md fixups ahead of release

Release: yes

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27927)

(cherry picked from commit f6c400f4ccaf6b36f5430aa3f6c94b704e335738)
---

diff --git a/CHANGES.md b/CHANGES.md
index d5a2165a3f3..53c442d6fa0 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -30,6 +30,18 @@ OpenSSL 3.5
 
 ### Changes between 3.5.0 and 3.5.1 [xx XXX xxxx]
 
+ * Fix x509 application adds trusted use instead of rejected use.
+
+   Issue summary: Use of -addreject option with the openssl x509 application adds
+   a trusted use instead of a rejected use for a certificate.
+
+   Impact summary: If a user intends to make a trusted certificate rejected for
+   a particular use it will be instead marked as trusted for that use.
+
+   ([CVE-2025-4575])
+
+   *Tomas Mraz*
+
  * Aligned the behaviour of TLS and DTLS in the event of a no_renegotiation
    alert being received. Older versions of OpenSSL failed with DTLS if a
    no_renegotiation alert was received. All versions of OpenSSL do this for TLS.
@@ -21215,6 +21227,7 @@ ndif
 
 <!-- Links -->
 
+[CVE-2025-4575]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-4575
 [CVE-2024-13176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176
 [CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143
 [CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
diff --git a/NEWS.md b/NEWS.md
index e8484daf741..ce2309de1df 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -25,7 +25,13 @@ OpenSSL 3.5
 
 ### Major changes between OpenSSL 3.5.0 and OpenSSL 3.5.1 [under development]
 
-  * none
+OpenSSL 3.5.1 is a security patch release. The most severe CVE fixed in this
+release is Low.
+
+This release incorporates the following bug fixes and mitigations:
+
+  * Fix x509 application adds trusted use instead of rejected use.
+   ([CVE-2025-4575])
 
 ### Major changes between OpenSSL 3.4 and OpenSSL 3.5.0 [8 Apr 2025]
 
@@ -1893,7 +1899,7 @@ OpenSSL 0.9.x
   * Support for various new platforms
 
 <!-- Links -->
-
+[CVE-2025-4575]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-4575
 [CVE-2024-13176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176
 [CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143
 [CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119