From 2447b10df133c0341fee89d05af8172693d06850 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Mon, 20 Jun 2022 14:14:20 +0100 Subject: [PATCH] Update CHANGES.md and NEWS.md for new release Reviewed-by: Tomas Mraz Release: yes --- CHANGES.md | 19 +++++++++++++++++++ NEWS.md | 4 +++- 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/CHANGES.md b/CHANGES.md index 17ba92c1fd..2d0a71322c 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -30,6 +30,25 @@ breaking changes, and mappings for the large list of deprecated functions. ### Changes between 3.0.3 and 3.0.4 [xx XXX xxxx] + * In addition to the c_rehash shell command injection identified in + CVE-2022-1292, further bugs where the c_rehash script does not + properly sanitise shell metacharacters to prevent command injection have been + fixed. + + When the CVE-2022-1292 was fixed it was not discovered that there + are other places in the script where the file names of certificates + being hashed were possibly passed to a command executed through the shell. + + This script is distributed by some operating systems in a manner where + it is automatically executed. On such operating systems, an attacker + could execute arbitrary commands with the privileges of the script. + + Use of the c_rehash script is considered obsolete and should be replaced + by the OpenSSL rehash command line tool. + (CVE-2022-2068) + + *Daniel Fiala, Tomáš Mráz* + * Case insensitive string comparison no longer uses locales. It has instead been directly implemented. diff --git a/NEWS.md b/NEWS.md index 7ced6898cc..cccc62cdb9 100644 --- a/NEWS.md +++ b/NEWS.md @@ -20,7 +20,9 @@ OpenSSL 3.0 ### Major changes between OpenSSL 3.0.3 and OpenSSL 3.0.4 [under development] - * none + * Fixed additional bugs in the c_rehash script which was not properly + sanitising shell metacharacters to prevent command injection + ([CVE-2022-2068]) ### Major changes between OpenSSL 3.0.2 and OpenSSL 3.0.3 [3 May 2022]