Add a CHANGES.md/NEWS.md entry for the unbounded memory growth bug

Related to CVE-2024-2511 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#24044) (cherry picked from commit e32ad41)
bernd-edlinger · Apr 22, 2024 · 87721d5 · 87721d5
1 parent db1e88e
commit 87721d5
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 4 deletions.
diff --git a/CHANGES b/CHANGES
@@ -9,6 +9,23 @@
 
  Changes between 1.1.1w and 1.1.1x [xx XXX xxxx]
 
+ *) Fixed an issue where some non-default TLS server configurations can cause
+    unbounded memory growth when processing TLSv1.3 sessions. An attacker may
+    exploit certain server configurations to trigger unbounded memory growth
+    that would lead to a Denial of Service
+
+    This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option
+    is being used (but not if early_data is also configured and the default
+    anti-replay protection is in use). In this case, under certain conditions,
+    the session cache can get into an incorrect state and it will fail to flush
+    properly as it fills. The session cache will continue to grow in an
+    unbounded manner. A malicious client could deliberately create the scenario
+    for this failure to force a Denial of Service. It may also happen by
+    accident in normal operation.
+
+   (CVE-2024-2511)
+   [Matt Caswell]
+
  *) A file in PKCS12 format can contain certificates and keys and may come from
     an untrusted source. The PKCS12 specification allows certain fields to be
     NULL, but OpenSSL did not correctly check for this case. A fix has been
@@ -26,8 +43,7 @@
     significant.
 
    (CVE-2024-0727)
-
-   *Matt Caswell*
+   [Matt Caswell]
 
  *) Fix excessive time spent in DH check / generation with large Q parameter
     value.
@@ -40,8 +56,7 @@
     an untrusted source this may lead to a Denial of Service.
 
     (CVE-2023-5678)
-
-    *Richard Levitte*
+    [Richard Levitte]
 
  Changes between 1.1.1v and 1.1.1w [11 Sep 2023]
 

diff --git a/NEWS b/NEWS
@@ -7,6 +7,8 @@
 
   Major changes between OpenSSL 1.1.1w and OpenSSL 1.1.1x [under development]
 
+      o Fixed unbounded memory growth with session handling in TLSv1.3
+        (CVE-2024-2511)
       o Fixed PKCS12 Decoding crashes (CVE-2024-0727)
       o Fix excessive time spent in DH check / generation with large Q parameter
         value (CVE-2023-5678)