From: Neil Horman <nhorman@openssl.org>
Date: Tue, 11 Feb 2025 13:36:29 +0000 (-0500)
Subject: Update CHANGES and NEWS for security release
X-Git-Tag: openssl-3.4.1~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f2a1024cdc3949c5a6d2a7365d3f824aa2ad1bf8;p=thirdparty%2Fopenssl.git

Update CHANGES and NEWS for security release

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit cf9d6685fda656c07fab8527750284f4446a7372)
---

diff --git a/CHANGES.md b/CHANGES.md
index 9d1843dcf8b..854fb975bea 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -29,6 +29,17 @@ OpenSSL 3.4
 
 ### Changes between 3.4.0 and 3.4.1 [xx XXX xxxx]
 
+ * Fixed RFC7250 handshakes with unauthenticated servers don't abort as expected.
+
+   Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a
+   server may fail to notice that the server was not authenticated, because
+   handshakes don't abort as expected when the SSL_VERIFY_PEER verification mode
+   is set.
+
+   ([CVE-2024-12797])
+
+   *Viktor Dukhovni*
+
  * Fixed timing side-channel in ECDSA signature computation.
 
    There is a timing signal of around 300 nanoseconds when the top word of
diff --git a/NEWS.md b/NEWS.md
index 6f38b397c70..bec13b8806d 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -24,10 +24,14 @@ OpenSSL 3.4
 
 ### Major changes between OpenSSL 3.4.0 and OpenSSL 3.4.1 [under development]
 
-This release is in development.
+OpenSSL 3.4.1 is a security patch release. The most severe CVE fixed in this
+release is High.
 
 This release incorporates the following bug fixes and mitigations:
 
+  * Fixed RFC7250 handshakes with unauthenticated servers don't abort as expected.
+    ([CVE-2024-12797])
+
   * Fixed timing side-channel in ECDSA signature computation.
     ([CVE-2024-13176])