Dev news

Commit f6c400f4cc for openssl.org

commit f6c400f4ccaf6b36f5430aa3f6c94b704e335738
Author: Neil Horman <nhorman@openssl.org>
Date:   Tue Jul 1 07:21:56 2025 -0400

    CHANGES.md / NEWS.md fixups ahead of release

    Release: yes

    Reviewed-by: Matt Caswell <matt@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/27927)

diff --git a/CHANGES.md b/CHANGES.md
index 441a143a88..44503782db 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -112,6 +112,18 @@ OpenSSL 3.5

 ### Changes between 3.5.0 and 3.5.1 [xx XXX xxxx]

+ * Fix x509 application adds trusted use instead of rejected use.
+
+   Issue summary: Use of -addreject option with the openssl x509 application adds
+   a trusted use instead of a rejected use for a certificate.
+
+   Impact summary: If a user intends to make a trusted certificate rejected for
+   a particular use it will be instead marked as trusted for that use.
+
+   ([CVE-2025-4575])
+
+   *Tomas Mraz*
+
  * Aligned the behaviour of TLS and DTLS in the event of a no_renegotiation
    alert being received. Older versions of OpenSSL failed with DTLS if a
    no_renegotiation alert was received. All versions of OpenSSL do this for TLS.
@@ -21297,6 +21309,7 @@ ndif

 <!-- Links -->

+[CVE-2025-4575]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-4575
 [CVE-2024-13176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176
 [CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143
 [CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
diff --git a/NEWS.md b/NEWS.md
index 78b872efbd..38bd728999 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -36,6 +36,16 @@ changes:
   * Added an `openssl configutl` utility for processing the openssl
     configuration file and dumping the equal configuration file.

+### Major changes between OpenSSL 3.5.0 and OpenSSL 3.5.1 [under development]
+
+OpenSSL 3.5.1 is a security patch release. The most severe CVE fixed in this
+release is Low.
+
+This release incorporates the following bug fixes and mitigations:
+
+  * Fix x509 application adds trusted use instead of rejected use.
+   ([CVE-2025-4575])
+
 ### Major changes between OpenSSL 3.4 and OpenSSL 3.5 [under development]

 OpenSSL 3.5.0 is a feature release adding significant new functionality to
@@ -1902,7 +1912,7 @@ OpenSSL 0.9.x
   * Support for various new platforms

 <!-- Links -->
-
+[CVE-2025-4575]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-4575
 [CVE-2024-13176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176
 [CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143
 [CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119