Add CHANGES.md and NEWS.md entries for CVE-2023-2975

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21384)

CHANGES.md

@@ -286,6 +286,26 @@ OpenSSL 3.1
 
 ### Changes between 3.1.1 and 3.1.2 [xx XXX xxxx]
 
+ * Do not ignore empty associated data entries with AES-SIV.
+
+   The AES-SIV algorithm allows for authentication of multiple associated
+   data entries along with the encryption. To authenticate empty data the
+   application has to call `EVP_EncryptUpdate()` (or `EVP_CipherUpdate()`)
+   with NULL pointer as the output buffer and 0 as the input buffer length.
+   The AES-SIV implementation in OpenSSL just returns success for such call
+   instead of performing the associated data authentication operation.
+   The empty data thus will not be authenticated. ([CVE-2023-2975])
+
+   Thanks to Juerg Wullschleger (Google) for discovering the issue.
+
+   The fix changes the authentication tag value and the ciphertext for
+   applications that use empty associated data entries with AES-SIV.
+   To decrypt data encrypted with previous versions of OpenSSL the application
+   has to skip calls to `EVP_DecryptUpdate()` for empty associated data
+   entries.
+
+   *Tomas Mraz*
+
  * When building with the `enable-fips` option and using the resulting
    FIPS provider, TLS 1.2 will, by default, mandate the use of an extended
    master secret (FIPS 140-3 IG G.Q) and the Hash and HMAC DRBGs will
@@ -20011,6 +20031,7 @@ ndif
 
 <!-- Links -->
 
+[CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975
 [RFC 2578 (STD 58), section 3.5]: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
 [CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650
 [CVE-2023-1255]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-1255

NEWS.md

@@ -39,10 +39,11 @@ OpenSSL 3.1
 
 ### Major changes between OpenSSL 3.1.1 and OpenSSL 3.1.2 [under development]
 
- * When building with the `enable-fips` option and using the resulting
+  * Do not ignore empty associated data entries with AES-SIV ([CVE-2023-2975])
-   FIPS provider, TLS 1.2 will, by default, mandate the use of an
+  * When building with the `enable-fips` option and using the resulting
-   extended master secret and the Hash and HMAC DRBGs will not operate
+    FIPS provider, TLS 1.2 will, by default, mandate the use of an
-   with truncated digests.
+    extended master secret and the Hash and HMAC DRBGs will not operate
+    with truncated digests.
 
 ### Major changes between OpenSSL 3.1.0 and OpenSSL 3.1.1 [30 May 2023]
 
@@ -1479,6 +1480,7 @@ OpenSSL 0.9.x
 
 <!-- Links -->
 
+[CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975
 [CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650
 [CVE-2023-1255]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-1255
 [CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466