Update CHANGES and NEWS for the new release

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9841)

diff --git a/CHANGES b/CHANGES
index 1b9299fba786a2b3f2b1a14f7ce9dca62381482a..6679f6ed5fbfe9005f743aaa271a02cabca0d91f 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,33 @@
 
  Changes between 1.1.1c and 1.1.1d [xx XXX xxxx]
 
+  *) Fixed a fork protection issue. OpenSSL 1.1.1 introduced a rewritten random
+     number generator (RNG). This was intended to include protection in the
+     event of a fork() system call in order to ensure that the parent and child
+     processes did not share the same RNG state. However this protection was not
+     being used in the default case.
+
+     A partial mitigation for this issue is that the output from a high
+     precision timer is mixed into the RNG state so the likelihood of a parent
+     and child process sharing state is significantly reduced.
+
+     If an application already calls OPENSSL_init_crypto() explicitly using
+     OPENSSL_INIT_ATFORK then this problem does not occur at all.
+     (CVE-2019-1549)
+     [Matthias St. Pierre]
+
+  *) Fixed a padding oracle in PKCS7_decrypt() and CMS_decrypt(). In situations
+     where an attacker receives automated notification of the success or failure
+     of a decryption attempt an attacker, after sending a very large number of
+     messages to be decrypted, can recover a CMS/PKCS7 transported encryption
+     key or decrypt any RSA encrypted message that was encrypted with the public
+     RSA key, using a Bleichenbacher padding oracle attack. Applications are not
+     affected if they use a certificate together with the private RSA key to the
+     CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info
+     to decrypt.
+     (CVE-2019-1563)
+     [Bernd Edlinger]
+
   *) For built-in EC curves, ensure an EC_GROUP built from the curve name is
      used even when parsing explicit parameters, when loading a serialized key
      or calling `EC_GROUP_new_from_ecpkparameters()`/
@@ -70,6 +97,7 @@
      was decided to revert this feature and leave it up to the OS
      resp. the platform maintainer to ensure a proper initialization
      during early boot time.
+     [Matthias St. Pierre]
 
  Changes between 1.1.1b and 1.1.1c [28 May 2019]
 

diff --git a/NEWS b/NEWS
index f6264bf6b709f658b63d0ae415ba303ad493e199..22be1680917315c4fe96cba5bae214534031fdad 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -7,7 +7,20 @@
 
   Major changes between OpenSSL 1.1.1c and OpenSSL 1.1.1d [under development]
 
-      o
+      o Fixed a fork protection issue (CVE-2019-1549)
+      o Fixed a padding oracle in PKCS7_decrypt() and CMS_decrypt()
+        (CVE-2019-1563)
+      o For built-in EC curves, ensure an EC_GROUP built from the curve name is
+        used even when parsing explicit parameters
+      o Compute ECC cofactors if not provided during EC_GROUP construction
+        (CVE-2019-1547)
+      o Early start up entropy quality from the DEVRANDOM seed source has been
+        improved for older Linux systems
+      o Correct the extended master secret constant on EBCDIC systems
+      o Use Windows installation paths in the mingw builds (CVE-2019-1552)
+      o Changed DH_check to accept parameters with order q and 2q subgroups
+      o Significantly reduce secure memory usage by the randomness pools
+      o Revert the DEVRANDOM_WAIT feature for Linux systems
 
   Major changes between OpenSSL 1.1.1b and OpenSSL 1.1.1c [28 May 2019]