changes: note about policy tree size limits and circumvention

Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/20568)
author: Pauli <pauli@openssl.org> 2023-03-15 14:18:53 +1100
committer: Pauli <pauli@openssl.org> 2023-03-22 11:40:14 +1100
commit: f8fe66e3f13350b527da871183b727e0fb9632ca (patch)
tree: bc61e4e48e1f4e720a4f90b14e7ab188145861e0
parent: 2a35fdcd965d8afcf4c139447aef8d5985eb9048 (diff)
download: openssl-new-f8fe66e3f13350b527da871183b727e0fb9632ca.tar.gz
1 files changed, 8 insertions, 1 deletions
diff --git a/CHANGES.md b/CHANGES.md
index 2ba422c09a..3eddb6f10e 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -30,7 +30,14 @@ breaking changes, and mappings for the large list of deprecated functions.
 
 ### Changes between 3.0.8 and 3.0.9 [xx XXX xxxx]
 
- * none yet
+ * Limited the number of nodes created in a policy tree to mitigate
+   against CVE-2023-0464.  The default limit is set to 1000 nodes, which
+   should be sufficient for most installations.  If required, the limit
+   can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build
+   time define to a desired maximum number of nodes or zero to allow
+   unlimited growth.
+
+   *Paul Dale*
 
 ### Changes between 3.0.7 and 3.0.8 [7 Feb 2023]
author	Pauli <pauli@openssl.org>	2023-03-15 14:18:53 +1100
committer	Pauli <pauli@openssl.org>	2023-03-22 11:40:14 +1100
commit	f8fe66e3f13350b527da871183b727e0fb9632ca (patch)
tree	bc61e4e48e1f4e720a4f90b14e7ab188145861e0
parent	2a35fdcd965d8afcf4c139447aef8d5985eb9048 (diff)
download	openssl-new-f8fe66e3f13350b527da871183b727e0fb9632ca.tar.gz