Update CHANGES and NEWS for upcoming release 1.1.1q

author Richard Levitte <levitte@openssl.org>

Tue, 5 Jul 2022 08:25:00 +0000 (10:25 +0200)

committer Richard Levitte <levitte@openssl.org>

Tue, 5 Jul 2022 08:25:00 +0000 (10:25 +0200)
author Richard Levitte <levitte@openssl.org>
Tue, 5 Jul 2022 08:25:00 +0000 (10:25 +0200)
committer Richard Levitte <levitte@openssl.org>
Tue, 5 Jul 2022 08:25:00 +0000 (10:25 +0200)
diff --git a/CHANGES b/CHANGES

index b72c71d26b41cd1e8f8b32953d8e8fe1eb71663a..62a555762dd206990f649f56ff686cdf14a753b5 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -9,7 +9,16 @@
  
   Changes between 1.1.1p and 1.1.1q [xx XXX xxxx]
  
-  *)
+  *) AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised
+     implementation would not encrypt the entirety of the data under some
+     circumstances.  This could reveal sixteen bytes of data that was
+     preexisting in the memory that wasn't written.  In the special case of
+     "in place" encryption, sixteen bytes of the plaintext would be revealed.
+
+     Since OpenSSL does not support OCB based cipher suites for TLS and DTLS,
+     they are both unaffected.
+     (CVE-2022-2097)
+     [Alex Chernyakhovsky, David Benjamin, Alejandro Sedeño]
  
   Changes between 1.1.1o and 1.1.1p [21 Jun 2022]
  
diff --git a/NEWS b/NEWS

index d0c810f52f6841eefd0d088d703d39cec14108a6..892793313fb3af1f00d0cd11eaba8ca2ca3a841e 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -7,7 +7,8 @@
  
    Major changes between OpenSSL 1.1.1p and OpenSSL 1.1.1q [under development]
  
-      o
+      o Fixed AES OCB failure to encrypt some bytes on 32-bit x86 platforms
+        (CVE-2022-2097)
  
    Major changes between OpenSSL 1.1.1o and OpenSSL 1.1.1p [21 Jun 2022]
author	Richard Levitte <levitte@openssl.org>
	Tue, 5 Jul 2022 08:25:00 +0000 (10:25 +0200)
committer	Richard Levitte <levitte@openssl.org>
	Tue, 5 Jul 2022 08:25:00 +0000 (10:25 +0200)