diff options
author | Tomas Mraz <tomas@openssl.org> | 2023-03-21 16:15:47 +0100 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2023-03-28 14:06:47 +0200 |
commit | 51e8a84ce742db0f6c70510d0159dad8f7825908 (patch) | |
tree | 7490a600e1099e13c381950a73bf9a34aab2658d /CHANGES.md | |
parent | 9a1410bd393c594f852222392c36bc7895d82d57 (diff) |
Fix documentation of X509_VERIFY_PARAM_add0_policy()
The function was incorrectly documented as enabling policy checking.
Fixes: CVE-2023-0466
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20563)
Diffstat (limited to 'CHANGES.md')
-rw-r--r-- | CHANGES.md | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/CHANGES.md b/CHANGES.md index 31cc6095cc..eb948e6b74 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -30,6 +30,13 @@ breaking changes, and mappings for the large list of deprecated functions. ### Changes between 3.0.8 and 3.0.9 [xx XXX xxxx] + * Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention + that it does not enable policy checking. Thanks to David Benjamin for + discovering this issue. + ([CVE-2023-0466]) + + *Tomáš Mráz* + * Fixed an issue where invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert @@ -19599,6 +19606,7 @@ ndif <!-- Links --> +[CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466 [CVE-2023-0465]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465 [CVE-2023-0464]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0464 [CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401 |