Update CHANGES and NEWS for new release

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes

2 files changed, 13 insertions, 3 deletions

diff --git a/CHANGES b/CHANGES
index 351465701b..1c521ce385 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,7 +9,16 @@
 
  Changes between 1.1.1n and 1.1.1o [xx XXX xxxx]
 
-  *)
+  *) Fixed a bug in the c_rehash script which was not properly sanitising shell
+    metacharacters to prevent command injection.  This script is distributed by
+    some operating systems in a manner where it is automatically executed.  On
+    such operating systems, an attacker could execute arbitrary commands with the
+    privileges of the script.
+
+    Use of the c_rehash script is considered obsolete and should be replaced
+    by the OpenSSL rehash command line tool.
+    (CVE-2022-1292)
+    [Tomáš Mráz]
 
  Changes between 1.1.1m and 1.1.1n [15 Mar 2022]
 
diff --git a/NEWS b/NEWS
index 8eb993087e..7d6bec7ba9 100644
--- a/NEWS
+++ b/NEWS
@@ -7,12 +7,13 @@
 
   Major changes between OpenSSL 1.1.1n and OpenSSL 1.1.1o [under development]
 
-      o
+      o Fixed a bug in the c_rehash script which was not properly sanitising
+        shell metacharacters to prevent command injection (CVE-2022-1292)
 
   Major changes between OpenSSL 1.1.1m and OpenSSL 1.1.1n [15 Mar 2022]
 
       o Fixed a bug in the BN_mod_sqrt() function that can cause it to loop
-        forever for non-prime moduli ([CVE-2022-0778])
+        forever for non-prime moduli (CVE-2022-0778)
 
   Major changes between OpenSSL 1.1.1l and OpenSSL 1.1.1m [14 Dec 2021]