[3.6] Update CHANGES.md and NEWS.md in preparation for the 3.6.0 release#28712
Closed
esyr wants to merge 2 commits intoopenssl:openssl-3.6from
Closed
[3.6] Update CHANGES.md and NEWS.md in preparation for the 3.6.0 release#28712esyr wants to merge 2 commits intoopenssl:openssl-3.6from
esyr wants to merge 2 commits intoopenssl:openssl-3.6from
Conversation
3.5.4 CHANGES.md includes the following: * openssl#28415 * openssl#28573 * openssl#28603 3.5.4 NEWS.md includes the following: * openssl#28603 Release: Yes Signed-off-by: Eugene Syromiatnikov <[email protected]> Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Tomas Mraz <[email protected]>
esyr
added
approval: review pending
t8m
requested changes
Oct 1, 2025
CHANGES.md
Outdated
Comment on lines
34
to
86
| * Fixed Out-of-bounds read&write in RFC 3211 KEK Unwrap | ||
|
|
||
| Issue summary: An application trying to decrypt CMS messages encrypted using | ||
| password-based encryption can trigger an out-of-bounds read and write. | ||
|
|
||
| Impact summary: This out-of-bounds read may trigger a crash which leads | ||
| to Denial of Service for an application. The out-of-bounds write can cause | ||
| a memory corruption which can have various consequences, including | ||
| a Denial of Service or Execution of attacker-supplied code. | ||
|
|
||
| The issue was reported by Stanislav Fort (Aisle Research). | ||
|
|
||
| ([CVE-2025-9230]) | ||
|
|
||
| *Viktor Dukhovni* | ||
|
|
||
| * Fixed Timing side-channel in SM2 algorithm on 64-bit ARM | ||
|
|
||
| Issue summary: A timing side-channel which could potentially allow remote | ||
| recovery of the private key exists in the SM2 algorithm implementation | ||
| on 64-bit ARM platforms. | ||
|
|
||
| Impact summary: A timing side-channel in SM2 signature computations | ||
| on 64-bit ARM platforms could allow recovering the private key | ||
| by an attacker. | ||
|
|
||
| The issue was reported by Stanislav Fort (Aisle Research). | ||
|
|
||
| ([CVE-2025-9231]) | ||
|
|
||
| *Stanislav Fort and Tomáš Mráz* | ||
|
|
||
| * Fixed Out-of-bounds read in HTTP client `no_proxy` handling | ||
|
|
||
| Issue summary: An application using the OpenSSL HTTP client API functions | ||
| may trigger an out-of-bounds read if the `no_proxy` environment variable | ||
| is set and the host portion of the authority component of the HTTP URL | ||
| is an IPv6 address. | ||
|
|
||
| Impact summary: An out-of-bounds read can trigger a crash which leads | ||
| to Denial of Service for an application. | ||
|
|
||
| The issue was reported by Stanislav Fort (Aisle Research). | ||
|
|
||
| ([CVE-2025-9232]) | ||
|
|
||
| *Stanislav Fort* | ||
|
|
||
| * Fixed the length of the ASN.1 sequence for the SM3 digests of RSA-encrypted | ||
| signatures. | ||
|
|
||
| *Xiao Lou Dong Feng* | ||
|
|
Member
There was a problem hiding this comment.
Everything that is mentioned in 3.5 section should NOT be duplicated here as these are changes between 3.6 and 3.5 NOT 3.6.0 and 3.5.0.
Member
Author
There was a problem hiding this comment.
Sure, removed the following changes:
@@ -31,86 +31,6 @@ OpenSSL 3.6
### Changes between 3.5 and 3.6 [xx XXX xxxx]
- * Fixed Out-of-bounds read&write in RFC 3211 KEK Unwrap
-
- Issue summary: An application trying to decrypt CMS messages encrypted using
- password-based encryption can trigger an out-of-bounds read and write.
-
- Impact summary: This out-of-bounds read may trigger a crash which leads
- to Denial of Service for an application. The out-of-bounds write can cause
- a memory corruption which can have various consequences, including
- a Denial of Service or Execution of attacker-supplied code.
-
- The issue was reported by Stanislav Fort (Aisle Research).
-
- ([CVE-2025-9230])
-
- *Viktor Dukhovni*
-
- * Fixed Timing side-channel in SM2 algorithm on 64-bit ARM
-
- Issue summary: A timing side-channel which could potentially allow remote
- recovery of the private key exists in the SM2 algorithm implementation
- on 64-bit ARM platforms.
-
- Impact summary: A timing side-channel in SM2 signature computations
- on 64-bit ARM platforms could allow recovering the private key
- by an attacker.
-
- The issue was reported by Stanislav Fort (Aisle Research).
-
- ([CVE-2025-9231])
-
- *Stanislav Fort and Tomáš Mráz*
-
- * Fixed Out-of-bounds read in HTTP client `no_proxy` handling
-
- Issue summary: An application using the OpenSSL HTTP client API functions
- may trigger an out-of-bounds read if the `no_proxy` environment variable
- is set and the host portion of the authority component of the HTTP URL
- is an IPv6 address.
-
- Impact summary: An out-of-bounds read can trigger a crash which leads
- to Denial of Service for an application.
-
- The issue was reported by Stanislav Fort (Aisle Research).
-
- ([CVE-2025-9232])
-
- *Stanislav Fort*
-
- * Fixed the length of the ASN.1 sequence for the SM3 digests of RSA-encrypted
- signatures.
-
- *Xiao Lou Dong Feng*
-
- * Secure memory allocation calls are no longer used for HMAC keys.
-
- *Dr Paul Dale*
-
- * `openssl req` no longer generates certificates with an empty extension list
- when SKID/AKID are set to `none` during generation.
-
- *David Benjamin*
-
- * The man page date is now derived from the release date provided
- in `VERSION.dat` and not the current date for the released builds.
-
- *Enji Cooper*
-
* Added support for `EVP_SKEY` opaque symmetric key objects to the key
derivation and key exchange provider methods. Added
`EVP_KDF_CTX_set_SKEY()`, `EVP_KDF_derive_SKEY()`,
@@ -122,10 +42,6 @@ OpenSSL 3.6
*Dr Paul Dale*
- * Added FIPS 140-3 PCT on DH key generation.
-
- *Nikola Pajkovský*
-
* Added `i2d_PKCS8PrivateKey(3)` API to complement `i2d_PrivateKey(3)`,
the former always outputs PKCS#8.
news:
@@ -29,17 +29,6 @@ OpenSSL 3.6
This release incorporates the following potentially significant or incompatible
changes:
- * Fixed Out-of-bounds read&write in RFC 3211 KEK Unwrap.
- ([CVE-2025-9230])
-
- * Fixed Timing side-channel in SM2 algorithm on 64-bit ARM.
- ([CVE-2025-9231])
-
- * Fixed Out-of-bounds read in HTTP client `no_proxy` handling.
- ([CVE-2025-9232])
-
- * Added FIPS 140-3 PCT on DH key generation.
-
* Added NIST security categories for PKEY objects.
* Added support for `EVP_SKEY` opaque symmetric key objects to the key
0fd99e9 to
6602d83
Compare
* Add the release date for 3.5.4 * Various touch-ups aimed at improving consistency of the news * ffixes, wfixes Release: Yes Signed-off-by: Eugene Syromiatnikov <[email protected]>
esyr
force-pushed
the
esyr/openssl-3.6.0-changes-news
branch
from
6602d83 to
09e11f7
Compare
t8m
approved these changes
Oct 1, 2025
nhorman
approved these changes
Oct 1, 2025
nhorman
added
approval: done
Contributor
|
merged |
openssl-machine
pushed a commit
that referenced
this pull request
Oct 1, 2025
3.5.4 CHANGES.md includes the following: * #28415 * #28573 * #28603 3.5.4 NEWS.md includes the following: * #28603 Release: Yes Signed-off-by: Eugene Syromiatnikov <[email protected]> Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #28712)
openssl-machine
pushed a commit
that referenced
this pull request
Oct 1, 2025
* Add the release date for 3.5.4 * Various touch-ups aimed at improving consistency of the news * ffixes, wfixes Release: Yes Signed-off-by: Eugene Syromiatnikov <[email protected]> Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #28712)
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Oct 2, 2025
3.5.4 CHANGES.md includes the following: * openssl#28415 * openssl#28573 * openssl#28603 3.5.4 NEWS.md includes the following: * openssl#28603 Release: Yes Signed-off-by: Eugene Syromiatnikov <[email protected]> Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#28712)
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Oct 2, 2025
* Add the release date for 3.5.4 * Various touch-ups aimed at improving consistency of the news * ffixes, wfixes Release: Yes Signed-off-by: Eugene Syromiatnikov <[email protected]> Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#28712)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This includes a forward-port of 3.5.4 CHANGES/NEWS updates, as well as massaging of 3.6 CHANGES/NEWS.