From 8b02603cedc8fbdf9901aa2cc71877c28adbcaf2 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Tue, 16 Feb 2021 12:17:04 +0000
Subject: [PATCH] Update CHANGES and NEWS for new release

Reviewed-by: Richard Levitte <levitte@openssl.org>
---
 CHANGES | 27 ++++++++++++++++++++++++++-
 NEWS    |  8 +++++++-
 2 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index ba224c45cd4..a8c28aafd48 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,7 +9,32 @@
 
  Changes between 1.1.1i and 1.1.1j [xx XXX xxxx]
 
-  *) Fixed SRP_Calc_client_key so that it uses constant time. The previous
+  *) Fixed the X509_issuer_and_serial_hash() function. It attempts to
+     create a unique hash value based on the issuer and serial number data
+     contained within an X509 certificate. However it was failing to correctly
+     handle any errors that may occur while parsing the issuer field (which might
+     occur if the issuer field is maliciously constructed). This may subsequently
+     result in a NULL pointer deref and a crash leading to a potential denial of
+     service attack.
+     (CVE-2021-23841)
+     [Matt Caswell]
+
+  *) Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING
+     padding mode to correctly check for rollback attacks. This is considered a
+     bug in OpenSSL 1.1.1 because it does not support SSLv2. In 1.0.2 this is
+     CVE-2021-23839.
+     [Matt Caswell]
+
+  *) Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate
+     functions. Previously they could overflow the output length argument in some
+     cases where the input length is close to the maximum permissable length for
+     an integer on the platform. In such cases the return value from the function
+     call would be 1 (indicating success), but the output length value would be
+     negative. This could cause applications to behave incorrectly or crash.
+     (CVE-2021-23840)
+     [Matt Caswell]
+
+  *) Fixed SRP_Calc_client_key so that it runs in constant time. The previous
      implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This
      could be exploited in a side channel attack to recover the password. Since
      the attack is local host only this is outside of the current OpenSSL
diff --git a/NEWS b/NEWS
index 55ffce8ea39..32e036ee2f2 100644
--- a/NEWS
+++ b/NEWS
@@ -7,7 +7,13 @@
 
   Major changes between OpenSSL 1.1.1i and OpenSSL 1.1.1j [under development]
 
-      o
+      o Fixed a NULL pointer deref in the X509_issuer_and_serial_hash()
+        function (CVE-2021-23841)
+      o Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING
+        padding mode to correctly check for rollback attacks
+      o Fixed an overflow in the EVP_CipherUpdate, EVP_EncryptUpdate and
+        EVP_DecryptUpdate functions (CVE-2021-23840)
+      o Fixed SRP_Calc_client_key so that it runs in constant time
 
   Major changes between OpenSSL 1.1.1h and OpenSSL 1.1.1i [8 Dec 2020]
 
-- 
2.47.2