changes: note about policy tree size limits and circumvention

author Pauli <pauli@openssl.org>

Wed, 15 Mar 2023 03:29:22 +0000 (14:29 +1100)

committer Pauli <pauli@openssl.org>

Wed, 22 Mar 2023 00:42:30 +0000 (11:42 +1100)
author Pauli <pauli@openssl.org>
Wed, 15 Mar 2023 03:29:22 +0000 (14:29 +1100)
committer Pauli <pauli@openssl.org>
Wed, 22 Mar 2023 00:42:30 +0000 (11:42 +1100)
diff --git a/CHANGES b/CHANGES

index f18b08cb0ee2d3604b107ae518ed37f6e900e00e..17caf6775bfed67b33d1fe491e2178e723363292 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -9,7 +9,13 @@
  
   Changes between 1.1.1t and 1.1.1u [xx XXX xxxx]
  
-  *)
+  *) Limited the number of nodes created in a policy tree to mitigate
+     against CVE-2023-0464.  The default limit is set to 1000 nodes, which
+     should be sufficient for most installations.  If required, the limit
+     can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build
+     time define to a desired maximum number of nodes or zero to allow
+     unlimited growth.
+     [Paul Dale]
  
   Changes between 1.1.1s and 1.1.1t [7 Feb 2023]
author	Pauli <pauli@openssl.org>
	Wed, 15 Mar 2023 03:29:22 +0000 (14:29 +1100)
committer	Pauli <pauli@openssl.org>
	Wed, 22 Mar 2023 00:42:30 +0000 (11:42 +1100)