From 3f636830e4dcfe9b6ab57bef42c0b3a1de194399 Mon Sep 17 00:00:00 2001 From: Pauli Date: Fri, 6 Oct 2023 10:43:46 +1100 Subject: [PATCH] changes and news entries for CVE-2023-5363 Reviewed-by: Hugo Landau Reviewed-by: Matt Caswell --- CHANGES.md | 7 ++++++- NEWS.md | 4 +++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index edb2ce987df..6b1176b927b 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -24,7 +24,11 @@ OpenSSL 3.1 ### Changes between 3.1.3 and 3.1.4 [xx XXX xxxx] - * none yet + * Fix incorrect key and IV resizing issues when calling EVP_EncryptInit_ex2(), + EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() with OSSL_PARAM parameters + that alter the key or IV length ([CVE-2023-5363]). + + *Paul Dale* ### Changes between 3.1.2 and 3.1.3 [19 Sep 2023] @@ -19860,6 +19864,7 @@ ndif +[CVE-2023-5363]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5363 [CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807 [CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817 [CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446 diff --git a/NEWS.md b/NEWS.md index 0e14aa88ea9..d1c7bca5d04 100644 --- a/NEWS.md +++ b/NEWS.md @@ -21,7 +21,8 @@ OpenSSL 3.1 ### Major changes between OpenSSL 3.1.3 and OpenSSL 3.1.4 [under development] - * none + * Mitigate incorrect resize handling for symmetric cipher keys and IVs. + ([CVE-2023-5363]) ### Major changes between OpenSSL 3.1.2 and OpenSSL 3.1.3 [19 Sep 2023] @@ -1473,6 +1474,7 @@ OpenSSL 0.9.x +[CVE-2023-5363]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5363 [CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807 [CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817 [CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446 -- 2.47.2