From 7d8a8c20e1370e43b0cad17e47a460a6f8e81a34 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Wed, 15 Jan 2025 18:29:52 +0100
Subject: [PATCH] Add CHANGES.md and NEWS.md updates for CVE-2024-13176

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26429)

(cherry picked from commit c3144e102571517df6c15ccc049fa3660ab3cb0a)
---
 CHANGES.md | 14 ++++++++++++++
 NEWS.md    |  4 ++++
 2 files changed, 18 insertions(+)

diff --git a/CHANGES.md b/CHANGES.md
index 44ed32d0fdf..aa64893d0d2 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -24,6 +24,19 @@ OpenSSL 3.1
 
 ### Changes between 3.1.7 and 3.1.8 [xx XXX xxxx]
 
+ * Fixed timing side-channel in ECDSA signature computation.
+
+   There is a timing signal of around 300 nanoseconds when the top word of
+   the inverted ECDSA nonce value is zero. This can happen with significant
+   probability only for some of the supported elliptic curves. In particular
+   the NIST P-521 curve is affected. To be able to measure this leak, the
+   attacker process must either be located in the same physical computer or
+   must have a very fast network connection with low latency.
+
+   ([CVE-2024-13176])
+
+   *TomÃ¡Å¡ MrÃ¡z*
+
  * Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic
    curve parameters.
 
@@ -20064,6 +20077,7 @@ ndif
 
 <!-- Links -->
 
+[CVE-2024-13176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176
 [CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143
 [CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
 [CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
diff --git a/NEWS.md b/NEWS.md
index 39eee1f8bcd..c28b2b5c52f 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -26,6 +26,9 @@ release is Low.
 
 This release incorporates the following bug fixes and mitigations:
 
+  * Fixed timing side-channel in ECDSA signature computation.
+    ([CVE-2024-13176])
+
   * Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic
     curve parameters.
     ([CVE-2024-9143])
@@ -1522,6 +1525,7 @@ OpenSSL 0.9.x
 
 <!-- Links -->
 
+[CVE-2024-13176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176
 [CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143
 [CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
 [CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
-- 
2.47.2