diff options
| author | Matt Caswell <matt@openssl.org> | 2022-06-20 14:14:20 +0100 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2022-06-21 13:22:55 +0100 |
| commit | de85a9de3f56aaf8c55c28fe495b900e50752a5a (patch) | |
| tree | 6392da68fa8a8929448c39f8106cee7b2c0cfc65 /CHANGES.md | |
| parent | 87eee75010f7efaa617ff32163359bf81513a619 (diff) | |
Update CHANGES.md and NEWS.md for new release
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Release: yes
Diffstat (limited to 'CHANGES.md')
| -rw-r--r-- | CHANGES.md | 29 |
1 files changed, 24 insertions, 5 deletions
diff --git a/CHANGES.md b/CHANGES.md index 9a998c3306..319e576f62 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -122,14 +122,33 @@ breaking changes, and mappings for the large list of deprecated functions. [Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod -### Changes between 3.0.3 and 3.0.4 +### Changes between 3.0.3 and 3.0.4 [21 June 2022] + + * In addition to the c_rehash shell command injection identified in + CVE-2022-1292, further bugs where the c_rehash script does not + properly sanitise shell metacharacters to prevent command injection have been + fixed. + + When the CVE-2022-1292 was fixed it was not discovered that there + are other places in the script where the file names of certificates + being hashed were possibly passed to a command executed through the shell. + + This script is distributed by some operating systems in a manner where + it is automatically executed. On such operating systems, an attacker + could execute arbitrary commands with the privileges of the script. + + Use of the c_rehash script is considered obsolete and should be replaced + by the OpenSSL rehash command line tool. + (CVE-2022-2068) + + *Daniel Fiala, Tomáš Mráz* * Case insensitive string comparison no longer uses locales. It has instead been directly implemented. *Paul Dale* -### Changes between 3.0.2 and 3.0.3 +### Changes between 3.0.2 and 3.0.3 [3 May 2022] * Case insensitive string comparison is reimplemented via new locale-agnostic comparison functions OPENSSL_str[n]casecmp always using the POSIX locale for @@ -244,7 +263,7 @@ breaking changes, and mappings for the large list of deprecated functions. *Hugo Landau* -### Changes between 3.0.1 and 3.0.2 [15 mar 2022] +### Changes between 3.0.1 and 3.0.2 [15 Mar 2022] * Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever for non-prime moduli. @@ -300,7 +319,7 @@ breaking changes, and mappings for the large list of deprecated functions. *Tomáš Mráz* -### Changes between 3.0.0 and 3.0.1 [14 dec 2021] +### Changes between 3.0.0 and 3.0.1 [14 Dec 2021] * Fixed invalid handling of X509_verify_cert() internal errors in libssl Internally libssl in OpenSSL calls X509_verify_cert() on the client side to @@ -374,7 +393,7 @@ breaking changes, and mappings for the large list of deprecated functions. *Richard Levitte* -### Changes between 1.1.1 and 3.0.0 [7 sep 2021] +### Changes between 1.1.1 and 3.0.0 [7 Sep 2021] * TLS_MAX_VERSION, DTLS_MAX_VERSION and DTLS_MIN_VERSION constants are now deprecated. |