From: Pauli <pauli@openssl.org>
Date: Wed, 15 Mar 2023 03:29:22 +0000 (+1100)
Subject: changes: note about policy tree size limits and circumvention
X-Git-Tag: OpenSSL_1_1_1u~21
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fa425f20955c7948faed27f69ae4544f89c108ea;p=thirdparty%2Fopenssl.git

changes: note about policy tree size limits and circumvention

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20569)
---

diff --git a/CHANGES b/CHANGES
index f18b08cb0ee..17caf6775bf 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,7 +9,13 @@
 
  Changes between 1.1.1t and 1.1.1u [xx XXX xxxx]
 
-  *)
+  *) Limited the number of nodes created in a policy tree to mitigate
+     against CVE-2023-0464.  The default limit is set to 1000 nodes, which
+     should be sufficient for most installations.  If required, the limit
+     can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build
+     time define to a desired maximum number of nodes or zero to allow
+     unlimited growth.
+     [Paul Dale]
 
  Changes between 1.1.1s and 1.1.1t [7 Feb 2023]