diff options
author | Matt Caswell <matt@openssl.org> | 2024-01-29 16:19:24 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2024-01-30 12:59:06 +0000 |
commit | a220093b963987b64d6c0cd1fc967b5e5adb2ff4 (patch) | |
tree | 9a09f6c9fc5be6e700ecd246eb870ecd410b6977 | |
parent | ebd24b37eccf8eb362ab7c5257b57f833eb2a873 (diff) |
Update CHANGES.md and NEWS.md for new release
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes
(Merged from https://github.com/openssl/openssl/pull/23423)
(cherry picked from commit 6782406c069c3146cf7b5026811e3935e84e3ab8)
-rw-r--r-- | CHANGES.md | 21 | ||||
-rw-r--r-- | NEWS.md | 3 |
2 files changed, 24 insertions, 0 deletions
diff --git a/CHANGES.md b/CHANGES.md index 2ba6c98077..4cef2556fd 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -30,6 +30,26 @@ breaking changes, and mappings for the large list of deprecated functions. ### Changes between 3.0.12 and 3.0.13 [xx XXX xxxx] + * A file in PKCS12 format can contain certificates and keys and may come from + an untrusted source. The PKCS12 specification allows certain fields to be + NULL, but OpenSSL did not correctly check for this case. A fix has been + applied to prevent a NULL pointer dereference that results in OpenSSL + crashing. If an application processes PKCS12 files from an untrusted source + using the OpenSSL APIs then that application will be vulnerable to this + issue prior to this fix. + + OpenSSL APIs that were vulnerable to this are: PKCS12_parse(), + PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() + and PKCS12_newpass(). + + We have also fixed a similar issue in SMIME_write_PKCS7(). However since this + function is related to writing data we do not consider it security + significant. + + ([CVE-2024-0727]) + + *Matt Caswell* + * When function EVP_PKEY_public_check() is called on RSA public keys, a computation is done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more large primes and this @@ -19804,6 +19824,7 @@ ndif <!-- Links --> +[CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727 [CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237 [CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129 [CVE-2023-5678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5678 @@ -20,6 +20,8 @@ OpenSSL 3.0 ### Major changes between OpenSSL 3.0.12 and OpenSSL 3.0.13 [under development] + * Fixed PKCS12 Decoding crashes + ([CVE-2024-0727]) * Fixed Excessive time spent checking invalid RSA public keys ([CVE-2023-6237]) * Fixed POLY1305 MAC implementation corrupting vector registers on PowerPC @@ -1468,6 +1470,7 @@ OpenSSL 0.9.x <!-- Links --> +[CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727 [CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237 [CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129 [CVE-2023-5678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5678 |