From 0966486a0ec7121142d0a543567cee8fd8b3c93b Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Wed, 15 Jan 2025 18:29:52 +0100
Subject: [PATCH] Add CHANGES.md and NEWS.md updates for CVE-2024-13176

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26429)

(cherry picked from commit c3144e102571517df6c15ccc049fa3660ab3cb0a)
---
 CHANGES | 12 ++++++++++++
 NEWS    |  2 ++
 2 files changed, 14 insertions(+)

diff --git a/CHANGES b/CHANGES
index 0d5ca5de1e69a..e8287fb4d792e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,18 @@
 
  Changes between 1.1.1w and 1.1.1x [xx XXX xxxx]
 
+ *) Fixed timing side-channel in ECDSA signature computation.
+
+    There is a timing signal of around 300 nanoseconds when the top word of
+    the inverted ECDSA nonce value is zero. This can happen with significant
+    probability only for some of the supported elliptic curves. In particular
+    the NIST P-521 curve is affected. To be able to measure this leak, the
+    attacker process must either be located in the same physical computer or
+    must have a very fast network connection with low latency.
+
+    (CVE-2024-13176)
+    [Tomáš Mráz]
+
  *) Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic
     curve parameters.
 
diff --git a/NEWS b/NEWS
index cdd12c6219f63..e3e6843530238 100644
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,8 @@
 
   Major changes between OpenSSL 1.1.1w and OpenSSL 1.1.1x [under development]
 
+      o Fixed timing side-channel in ECDSA signature computation.
+        (CVE-2024-13176)
       o Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic
         curve parameters.
         (CVE-2024-9143)