diff options
author | Matt Caswell <matt@openssl.org> | 2022-06-20 14:14:20 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2022-06-21 13:39:20 +0100 |
commit | 51e06520734063d6f52b2e596e1089d36d3781e7 (patch) | |
tree | 83264755c295ba817e2bd390f266105d7efb9460 | |
parent | 9639817dac8bbbaa64d09efad7464ccc405527c7 (diff) |
Update CHANGES and NEWS for new release
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes
-rw-r--r-- | CHANGES | 18 | ||||
-rw-r--r-- | NEWS | 4 |
2 files changed, 21 insertions, 1 deletions
@@ -9,6 +9,24 @@ Changes between 1.1.1o and 1.1.1p [xx XXX xxxx] + *) In addition to the c_rehash shell command injection identified in + CVE-2022-1292, further bugs where the c_rehash script does not + properly sanitise shell metacharacters to prevent command injection have been + fixed. + + When the CVE-2022-1292 was fixed it was not discovered that there + are other places in the script where the file names of certificates + being hashed were possibly passed to a command executed through the shell. + + This script is distributed by some operating systems in a manner where + it is automatically executed. On such operating systems, an attacker + could execute arbitrary commands with the privileges of the script. + + Use of the c_rehash script is considered obsolete and should be replaced + by the OpenSSL rehash command line tool. + (CVE-2022-2068) + [Daniel Fiala, Tomáš Mráz] + *) When OpenSSL TLS client is connecting without any supported elliptic curves and TLS-1.3 protocol is disabled the connection will no longer fail if a ciphersuite that does not use a key exchange based on elliptic @@ -7,7 +7,9 @@ Major changes between OpenSSL 1.1.1o and OpenSSL 1.1.1p [under development] - o + o Fixed additional bugs in the c_rehash script which was not properly + sanitising shell metacharacters to prevent command injection + (CVE-2022-2068) Major changes between OpenSSL 1.1.1n and OpenSSL 1.1.1o [3 May 2022] |