changes: note about policy tree size limits and circumvention

author Pauli <pauli@openssl.org>

Wed, 15 Mar 2023 03:13:22 +0000 (14:13 +1100)

committer Pauli <pauli@openssl.org>

Wed, 22 Mar 2023 00:32:37 +0000 (11:32 +1100)
author Pauli <pauli@openssl.org>
Wed, 15 Mar 2023 03:13:22 +0000 (14:13 +1100)
committer Pauli <pauli@openssl.org>
Wed, 22 Mar 2023 00:32:37 +0000 (11:32 +1100)
diff --git a/CHANGES.md b/CHANGES.md

index 950390780ba1aa83b2569e0fbd06b9ccd061ca08..99cabb3057fbf1ef72b3bfd711245e2207ee113e 100644 (file)
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -24,7 +24,14 @@ OpenSSL 3.1
  
  ### Changes between 3.1.0 and 3.1.1 [xx XXX xxxx]
  
- * none yet
+ * Limited the number of nodes created in a policy tree to mitigate
+   against CVE-2023-0464.  The default limit is set to 1000 nodes, which
+   should be sufficient for most installations.  If required, the limit
+   can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build
+   time define to a desired maximum number of nodes or zero to allow
+   unlimited growth.
+
+   *Paul Dale*
  
  ### Changes between 3.0 and 3.1.0 [14 Mar 2023]
author	Pauli <pauli@openssl.org>
	Wed, 15 Mar 2023 03:13:22 +0000 (14:13 +1100)
committer	Pauli <pauli@openssl.org>
	Wed, 22 Mar 2023 00:32:37 +0000 (11:32 +1100)