Update CHANGES/NEWS for new release

[openssl.git] / CHANGES.md

diff --git a/CHANGES.md b/CHANGES.md
index b569b1c1c5cca81d68ffc6e3b4e22185a51b8577..77a414020ec52ef09b95394719d4688b0f1914e3 100644 (file)
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -30,6 +30,36 @@ breaking changes, and mappings for the large list of deprecated functions.
 
 ### Changes between 3.0.1 and 3.0.2 [xx XXX xxxx]
 
+ * Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever
+   for non-prime moduli.
+
+   Internally this function is used when parsing certificates that contain
+   elliptic curve public keys in compressed form or explicit elliptic curve
+   parameters with a base point encoded in compressed form.
+
+   It is possible to trigger the infinite loop by crafting a certificate that
+   has invalid explicit curve parameters.
+
+   Since certificate parsing happens prior to verification of the certificate
+   signature, any process that parses an externally supplied certificate may thus
+   be subject to a denial of service attack. The infinite loop can also be
+   reached when parsing crafted private keys as they can contain explicit
+   elliptic curve parameters.
+
+   Thus vulnerable situations include:
+
+    - TLS clients consuming server certificates
+    - TLS servers consuming client certificates
+    - Hosting providers taking certificates or private keys from customers
+    - Certificate authorities parsing certification requests from subscribers
+    - Anything else which parses ASN.1 elliptic curve parameters
+
+   Also any other applications that use the BN_mod_sqrt() where the attacker
+   can control the parameter values are vulnerable to this DoS issue.
+   ([CVE-2022-0778])
+
+   *Tomáš Mráz*
+
  * Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489)
    to the list of ciphersuites providing Perfect Forward Secrecy as
    required by SECLEVEL >= 3.