From 78ba51a3b8b505d8d03abca8fa95e4fb1464d94e Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Tue, 5 Jul 2022 10:25:00 +0200 Subject: [PATCH] Update CHANGES and NEWS for upcoming release 1.1.1q Reviewed-by: Paul Dale Release: yes --- CHANGES | 11 ++++++++++- NEWS | 3 ++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index b72c71d26b4..62a555762dd 100644 --- a/CHANGES +++ b/CHANGES @@ -9,7 +9,16 @@ Changes between 1.1.1p and 1.1.1q [xx XXX xxxx] - *) + *) AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised + implementation would not encrypt the entirety of the data under some + circumstances. This could reveal sixteen bytes of data that was + preexisting in the memory that wasn't written. In the special case of + "in place" encryption, sixteen bytes of the plaintext would be revealed. + + Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, + they are both unaffected. + (CVE-2022-2097) + [Alex Chernyakhovsky, David Benjamin, Alejandro Sedeño] Changes between 1.1.1o and 1.1.1p [21 Jun 2022] diff --git a/NEWS b/NEWS index d0c810f52f6..892793313fb 100644 --- a/NEWS +++ b/NEWS @@ -7,7 +7,8 @@ Major changes between OpenSSL 1.1.1p and OpenSSL 1.1.1q [under development] - o + o Fixed AES OCB failure to encrypt some bytes on 32-bit x86 platforms + (CVE-2022-2097) Major changes between OpenSSL 1.1.1o and OpenSSL 1.1.1p [21 Jun 2022] -- 2.47.2