Update CHANGES.md and NEWS.md for new release

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes

2 files changed, 22 insertions, 1 deletions

diff --git a/CHANGES.md b/CHANGES.md
index 17ba92c1fd..2d0a71322c 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -30,6 +30,25 @@ breaking changes, and mappings for the large list of deprecated functions.
 
 ### Changes between 3.0.3 and 3.0.4 [xx XXX xxxx]
 
+ * In addition to the c_rehash shell command injection identified in
+   CVE-2022-1292, further bugs where the c_rehash script does not
+   properly sanitise shell metacharacters to prevent command injection have been
+   fixed.
+
+   When the CVE-2022-1292 was fixed it was not discovered that there
+   are other places in the script where the file names of certificates
+   being hashed were possibly passed to a command executed through the shell.
+
+   This script is distributed by some operating systems in a manner where
+   it is automatically executed.  On such operating systems, an attacker
+   could execute arbitrary commands with the privileges of the script.
+
+   Use of the c_rehash script is considered obsolete and should be replaced
+   by the OpenSSL rehash command line tool.
+   (CVE-2022-2068)
+
+   *Daniel Fiala, Tomáš Mráz*
+
  * Case insensitive string comparison no longer uses locales.  It has instead
    been directly implemented.
 
diff --git a/NEWS.md b/NEWS.md
index 7ced6898cc..cccc62cdb9 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -20,7 +20,9 @@ OpenSSL 3.0
 
 ### Major changes between OpenSSL 3.0.3 and OpenSSL 3.0.4 [under development]
 
-  * none
+  * Fixed additional bugs in the c_rehash script which was not properly
+    sanitising shell metacharacters to prevent command injection
+    ([CVE-2022-2068])
 
 ### Major changes between OpenSSL 3.0.2 and OpenSSL 3.0.3 [3 May 2022]