### Changes between 3.2.1 and 3.2.2 [xx XXX xxxx]
+ * Fixed an issue where some non-default TLS server configurations can cause
+ unbounded memory growth when processing TLSv1.3 sessions. An attacker may
+ exploit certain server configurations to trigger unbounded memory growth that
+ would lead to a Denial of Service
+
+ This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option
+ is being used (but not if early_data is also configured and the default
+ anti-replay protection is in use). In this case, under certain conditions,
+ the session cache can get into an incorrect state and it will fail to flush
+ properly as it fills. The session cache will continue to grow in an unbounded
+ manner. A malicious client could deliberately create the scenario for this
+ failure to force a Denial of Service. It may also happen by accident in
+ normal operation.
+
+ ([CVE-2024-2511])
+
+ *Matt Caswell*
+
* Fixed bug where SSL_export_keying_material() could not be used with QUIC
connections. (#23560)
<!-- Links -->
+[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
[CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
[CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237
[CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129
OpenSSL 3.2
-----------
-### Major changes between OpenSSL 3.2.0 and OpenSSL 3.2.1 [under development]
+### Major changes between OpenSSL 3.2.1 and OpenSSL 3.2.2 [under development]
+
+OpenSSL 3.2.2 is a security patch release. The most severe CVE fixed in this
+release is Low.
+
+This release incorporates the following bug fixes and mitigations:
+
+ * Fixed unbounded memory growth with session handling in TLSv1.3
+ ([CVE-2024-2511])
+
+### Major changes between OpenSSL 3.2.0 and OpenSSL 3.2.1 [30 Jan 2024]
OpenSSL 3.2.1 is a security patch release. The most severe CVE fixed in this
release is Low.
<!-- Links -->
+[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
[CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
[CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237
[CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129