From fa425f20955c7948faed27f69ae4544f89c108ea Mon Sep 17 00:00:00 2001
From: Pauli <pauli@openssl.org>
Date: Wed, 15 Mar 2023 14:29:22 +1100
Subject: [PATCH] changes: note about policy tree size limits and circumvention

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20569)
---
 CHANGES | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index f18b08cb0ee..17caf6775bf 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,7 +9,13 @@
 
  Changes between 1.1.1t and 1.1.1u [xx XXX xxxx]
 
-  *)
+  *) Limited the number of nodes created in a policy tree to mitigate
+     against CVE-2023-0464.  The default limit is set to 1000 nodes, which
+     should be sufficient for most installations.  If required, the limit
+     can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build
+     time define to a desired maximum number of nodes or zero to allow
+     unlimited growth.
+     [Paul Dale]
 
  Changes between 1.1.1s and 1.1.1t [7 Feb 2023]
 
-- 
2.47.2