root
/
openssl
mirror of https://github.com/openssl/openssl.git
1
0
Fork 0
Code Issues Actions 7 Packages Projects Releases Wiki Activity

Update CHANGES.md and NEWS.md for new release 

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes
(Merged from https://github.com/openssl/openssl/pull/23423)

(cherry picked from commit 6782406c06)
This commit is contained in:
Matt Caswell 2024-01-29 16:19:24 +00:00
parent ebd24b37ec
commit a220093b96
2 changed files with 24 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
CHANGES.md
View File

@ -30,6 +30,26 @@ breaking changes, and mappings for the large list of deprecated functions.
### Changes between 3.0.12 and 3.0.13 [xx XXX xxxx] ### Changes between 3.0.12 and 3.0.13 [xx XXX xxxx]
* A file in PKCS12 format can contain certificates and keys and may come from
an untrusted source. The PKCS12 specification allows certain fields to be
NULL, but OpenSSL did not correctly check for this case. A fix has been
applied to prevent a NULL pointer dereference that results in OpenSSL
crashing. If an application processes PKCS12 files from an untrusted source
using the OpenSSL APIs then that application will be vulnerable to this
issue prior to this fix.
OpenSSL APIs that were vulnerable to this are: PKCS12_parse(),
PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()
and PKCS12_newpass().
We have also fixed a similar issue in SMIME_write_PKCS7(). However since this
function is related to writing data we do not consider it security
significant.
([CVE-2024-0727])
*Matt Caswell*
* When function EVP_PKEY_public_check() is called on RSA public keys, * When function EVP_PKEY_public_check() is called on RSA public keys,
a computation is done to confirm that the RSA modulus, n, is composite. a computation is done to confirm that the RSA modulus, n, is composite.
For valid RSA keys, n is a product of two or more large primes and this For valid RSA keys, n is a product of two or more large primes and this
@ -19804,6 +19824,7 @@ ndif
<!-- Links --> <!-- Links -->
[CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
[CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237 [CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237
[CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129 [CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129
[CVE-2023-5678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5678 [CVE-2023-5678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5678

3
NEWS.md
View File

@ -20,6 +20,8 @@ OpenSSL 3.0
### Major changes between OpenSSL 3.0.12 and OpenSSL 3.0.13 [under development] ### Major changes between OpenSSL 3.0.12 and OpenSSL 3.0.13 [under development]
* Fixed PKCS12 Decoding crashes
([CVE-2024-0727])
* Fixed Excessive time spent checking invalid RSA public keys * Fixed Excessive time spent checking invalid RSA public keys
([CVE-2023-6237]) ([CVE-2023-6237])
* Fixed POLY1305 MAC implementation corrupting vector registers on PowerPC * Fixed POLY1305 MAC implementation corrupting vector registers on PowerPC
@ -1468,6 +1470,7 @@ OpenSSL 0.9.x
<!-- Links --> <!-- Links -->
[CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
[CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237 [CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237
[CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129 [CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129
[CVE-2023-5678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5678 [CVE-2023-5678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5678