From: Pauli <pauli@openssl.org>
Date: Wed, 15 Mar 2023 07:43:11 +0000 (+1100)
Subject: changes: note about policy tree size limits and circumvention
X-Git-Tag: openssl-3.2.0-alpha1~1112
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=83ff6cbd9a02ed713bf66f960ab9aea5fced49a3;p=thirdparty%2Fopenssl.git

changes: note about policy tree size limits and circumvention

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20571)
---

diff --git a/CHANGES.md b/CHANGES.md
index 860f91d5f8d..ed677aa8151 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -240,7 +240,18 @@ OpenSSL 3.2
 OpenSSL 3.1
 -----------
 
-### Changes between 3.0 and 3.1.0 [xx XXX xxxx]
+### Changes between 3.1.0 and 3.1.1 [xx XXX xxxx]
+
+ * Limited the number of nodes created in a policy tree to mitigate
+   against CVE-2023-0464.  The default limit is set to 1000 nodes, which
+   should be sufficient for most installations.  If required, the limit
+   can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build
+   time define to a desired maximum number of nodes or zero to allow
+   unlimited growth.
+
+   *Paul Dale*
+
+### Changes between 3.0 and 3.1.0 [14 Mar 2023]
 
  * Add FIPS provider configuration option to enforce the
    Extended Master Secret (EMS) check during the TLS1_PRF KDF.