diff options
Diffstat (limited to 'CHANGES.md')
-rw-r--r-- | CHANGES.md | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/CHANGES.md b/CHANGES.md index 17ba92c1fd..2d0a71322c 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -30,6 +30,25 @@ breaking changes, and mappings for the large list of deprecated functions. ### Changes between 3.0.3 and 3.0.4 [xx XXX xxxx] + * In addition to the c_rehash shell command injection identified in + CVE-2022-1292, further bugs where the c_rehash script does not + properly sanitise shell metacharacters to prevent command injection have been + fixed. + + When the CVE-2022-1292 was fixed it was not discovered that there + are other places in the script where the file names of certificates + being hashed were possibly passed to a command executed through the shell. + + This script is distributed by some operating systems in a manner where + it is automatically executed. On such operating systems, an attacker + could execute arbitrary commands with the privileges of the script. + + Use of the c_rehash script is considered obsolete and should be replaced + by the OpenSSL rehash command line tool. + (CVE-2022-2068) + + *Daniel Fiala, Tomáš Mráz* + * Case insensitive string comparison no longer uses locales. It has instead been directly implemented. |