Update CHANGES.md and NEWS.md for new release

Reviewed-by: Tomas Mraz <tomas@openssl.org> Release: yes
2022-06-20 14:14:20 +01:00 · 2022-06-20 14:14:20 +01:00 · 2447b10df1
parent 8a3579a7b7
commit 2447b10df1
2 changed files with 22 additions and 1 deletions
--- a/CHANGES.md
+++ b/CHANGES.md
@ -30,6 +30,25 @@ breaking changes, and mappings for the large list of deprecated functions.

 ### Changes between 3.0.3 and 3.0.4 [xx XXX xxxx]

+ * In addition to the c_rehash shell command injection identified in
+   CVE-2022-1292, further bugs where the c_rehash script does not
+   properly sanitise shell metacharacters to prevent command injection have been
+   fixed.
+
+   When the CVE-2022-1292 was fixed it was not discovered that there
+   are other places in the script where the file names of certificates
+   being hashed were possibly passed to a command executed through the shell.
+
+   This script is distributed by some operating systems in a manner where
+   it is automatically executed.  On such operating systems, an attacker
+   could execute arbitrary commands with the privileges of the script.
+
+   Use of the c_rehash script is considered obsolete and should be replaced
+   by the OpenSSL rehash command line tool.
+   (CVE-2022-2068)
+
+   *Daniel Fiala, Tomáš Mráz*
+
 * Case insensitive string comparison no longer uses locales.  It has instead
   been directly implemented.

--- a/NEWS.md
+++ b/NEWS.md
@ -20,7 +20,9 @@ OpenSSL 3.0

 ### Major changes between OpenSSL 3.0.3 and OpenSSL 3.0.4 [under development]

-  * none
+  * Fixed additional bugs in the c_rehash script which was not properly
+    sanitising shell metacharacters to prevent command injection
+    ([CVE-2022-2068])

 ### Major changes between OpenSSL 3.0.2 and OpenSSL 3.0.3 [3 May 2022]