From: Viktor Dukhovni <viktor@openssl.org>
Date: Wed, 10 Jul 2024 09:50:57 +0000 (+1000)
Subject: Updated CHANGES and NEWS for CVE-2024-6119 fix
X-Git-Tag: openssl-3.0.15~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c3f90ac6e28b8fa9bcb62c3f7fe621e13242cb28;p=thirdparty%2Fopenssl.git

Updated CHANGES and NEWS for CVE-2024-6119 fix

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(cherry picked from commit cf384d35aa7142cc3b5de19f64d3972e77d3ff74)
---

diff --git a/CHANGES.md b/CHANGES.md
index 9fb03f12536..709a7193f24 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -30,7 +30,17 @@ breaking changes, and mappings for the large list of deprecated functions.
 
 ### Changes between 3.0.14 and 3.0.15 [xx XXX xxxx]
 
- * none yet
+ * Fixed possible denial of service in X.509 name checks.
+
+   Applications performing certificate name checks (e.g., TLS clients checking
+   server certificates) may attempt to read an invalid memory address when
+   comparing the expected name with an `otherName` subject alternative name of
+   an X.509 certificate. This may result in an exception that terminates the
+   application program.
+
+   [(CVE-2024-6119)]
+
+   *Viktor Dukhovni*
 
 ### Changes between 3.0.13 and 3.0.14 [4 Jun 2024]
 
@@ -19902,6 +19912,7 @@ ndif
 
 <!-- Links -->
 
+[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
 [CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
 [CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
 [CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
diff --git a/NEWS.md b/NEWS.md
index 7cad7d28bdb..b139f828b67 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -20,7 +20,10 @@ OpenSSL 3.0
 
 ### Major changes between OpenSSL 3.0.14 and OpenSSL 3.0.15 [under development]
 
-  * none
+OpenSSL 3.3.2 is a security patch release. The most severe CVE fixed in this
+release is Moderate.
+
+  * Fixed possible denial of service in X.509 name checks [(CVE-2024-6119)].
 
 ### Major changes between OpenSSL 3.0.13 and OpenSSL 3.0.14 [4 Jun 2024]
 
@@ -1486,6 +1489,7 @@ OpenSSL 0.9.x
 
 <!-- Links -->
 
+[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
 [CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
 [CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
 [CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511