diff options
author | Matt Caswell <matt@openssl.org> | 2022-06-20 14:14:20 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2022-06-21 13:35:59 +0100 |
commit | 2447b10df133c0341fee89d05af8172693d06850 (patch) | |
tree | 8576eb3a730662e426dc3194c4b05ba0a98928c3 | |
parent | 8a3579a7b7067a983e69a4eda839ac408c120739 (diff) |
Update CHANGES.md and NEWS.md for new release
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes
-rw-r--r-- | CHANGES.md | 19 | ||||
-rw-r--r-- | NEWS.md | 4 |
2 files changed, 22 insertions, 1 deletions
diff --git a/CHANGES.md b/CHANGES.md index 17ba92c1fd..2d0a71322c 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -30,6 +30,25 @@ breaking changes, and mappings for the large list of deprecated functions. ### Changes between 3.0.3 and 3.0.4 [xx XXX xxxx] + * In addition to the c_rehash shell command injection identified in + CVE-2022-1292, further bugs where the c_rehash script does not + properly sanitise shell metacharacters to prevent command injection have been + fixed. + + When the CVE-2022-1292 was fixed it was not discovered that there + are other places in the script where the file names of certificates + being hashed were possibly passed to a command executed through the shell. + + This script is distributed by some operating systems in a manner where + it is automatically executed. On such operating systems, an attacker + could execute arbitrary commands with the privileges of the script. + + Use of the c_rehash script is considered obsolete and should be replaced + by the OpenSSL rehash command line tool. + (CVE-2022-2068) + + *Daniel Fiala, Tomáš Mráz* + * Case insensitive string comparison no longer uses locales. It has instead been directly implemented. @@ -20,7 +20,9 @@ OpenSSL 3.0 ### Major changes between OpenSSL 3.0.3 and OpenSSL 3.0.4 [under development] - * none + * Fixed additional bugs in the c_rehash script which was not properly + sanitising shell metacharacters to prevent command injection + ([CVE-2022-2068]) ### Major changes between OpenSSL 3.0.2 and OpenSSL 3.0.3 [3 May 2022] |