Add CHANGES and release notes for [GL #4124]

author Ondřej Surý <ondrej@isc.org>

Mon, 14 Aug 2023 09:20:41 +0000 (11:20 +0200)

committer Ondřej Surý <ondrej@isc.org>

Mon, 14 Aug 2023 09:30:45 +0000 (11:30 +0200)
author Ondřej Surý <ondrej@isc.org>
Mon, 14 Aug 2023 09:20:41 +0000 (11:20 +0200)
committer Ondřej Surý <ondrej@isc.org>
Mon, 14 Aug 2023 09:30:45 +0000 (11:30 +0200)
diff --git a/CHANGES b/CHANGES

index 2dc43056c75b445ec4fcb76fccb3d2d5112fe56f..22d651b56a744dbdf3c5ecb301ef8e643b81d2cf 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+6224.  [bug]           Check the If-Modified-Since value length to prevent
+                       out-of-bounds write. [GL #4124]
+
  6223.  [func]          Make -E engine option for OpenSSL Engine API use only.
                         OpenSSL Provider API will now require engine to not be
                         set. [GL #8153]
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst

index 25521abddda6c7bbb932a0ae6c56f19bfe4593fd..ad69d13c21a4f4469f6b84abe87e00392de09734 100644 (file)
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -37,6 +37,14 @@ Bug Fixes
  
  - None.
  
+- The value of If-Modified-Since header in statistics channel was not checked
+  for length leading to possible buffer overflow by an authorized user.  We
+  would like to emphasize that statistics channel must be properly setup to
+  allow access only from authorized users of the system. :gl:`#4124`
+
+  This was reported independently by Eric Sesterhenn of X41 D-SEC and Cameron
+  Whitehead.
+
  Known Issues
  ~~~~~~~~~~~~
author	Ondřej Surý <ondrej@isc.org>
	Mon, 14 Aug 2023 09:20:41 +0000 (11:20 +0200)
committer	Ondřej Surý <ondrej@isc.org>
	Mon, 14 Aug 2023 09:30:45 +0000 (11:30 +0200)
CHANGES		patch \| blob \| blame \| history
doc/notes/notes-current.rst		patch \| blob \| blame \| history