"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "CHANGES" between
openssl-1.1.1o.tar.gz and openssl-1.1.1p.tar.gz

About: OpenSSL is a toolkit implementing the Transport Layer Security (TLS) protocols (including SSLv3) as well as a full-strength general purpose cryptographic library. Long Term Support (LTS) version (includes support for TLSv1.3).

CHANGES  (openssl-1.1.1o)	:	CHANGES  (openssl-1.1.1p)
OpenSSL CHANGES		OpenSSL CHANGES
_______________		_______________
This is a high-level summary of the most important changes.		This is a high-level summary of the most important changes.
For a full list of changes, see the git commit log; for example,		For a full list of changes, see the git commit log; for example,
https://github.com/openssl/openssl/commits/ and pick the appropriate		https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.		release branch.
		Changes between 1.1.1o and 1.1.1p [21 Jun 2022]
		*) In addition to the c_rehash shell command injection identified in
		CVE-2022-1292, further bugs where the c_rehash script does not
		properly sanitise shell metacharacters to prevent command injection have be
		en
		fixed.
		When the CVE-2022-1292 was fixed it was not discovered that there
		are other places in the script where the file names of certificates
		being hashed were possibly passed to a command executed through the shell.
		This script is distributed by some operating systems in a manner where
		it is automatically executed. On such operating systems, an attacker
		could execute arbitrary commands with the privileges of the script.
		Use of the c_rehash script is considered obsolete and should be replaced
		by the OpenSSL rehash command line tool.
		(CVE-2022-2068)
		[Daniel Fiala, Tomáš Mráz]
		*) When OpenSSL TLS client is connecting without any supported elliptic
		curves and TLS-1.3 protocol is disabled the connection will no longer fail
		if a ciphersuite that does not use a key exchange based on elliptic
		curves can be negotiated.
		[Tomáš Mráz]
Changes between 1.1.1n and 1.1.1o [3 May 2022]		Changes between 1.1.1n and 1.1.1o [3 May 2022]
*) Fixed a bug in the c_rehash script which was not properly sanitising shell		*) Fixed a bug in the c_rehash script which was not properly sanitising shell
metacharacters to prevent command injection. This script is distributed by		metacharacters to prevent command injection. This script is distributed
some operating systems in a manner where it is automatically executed. On		by some operating systems in a manner where it is automatically executed.
such operating systems, an attacker could execute arbitrary commands with th		On such operating systems, an attacker could execute arbitrary commands
e		with the privileges of the script.
privileges of the script.
		Use of the c_rehash script is considered obsolete and should be replaced
Use of the c_rehash script is considered obsolete and should be replaced		by the OpenSSL rehash command line tool.
by the OpenSSL rehash command line tool.		(CVE-2022-1292)
(CVE-2022-1292)		[Tomáš Mráz]
[Tomáš Mráz]
Changes between 1.1.1m and 1.1.1n [15 Mar 2022]		Changes between 1.1.1m and 1.1.1n [15 Mar 2022]
*) Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever		*) Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever
for non-prime moduli.		for non-prime moduli.
Internally this function is used when parsing certificates that contain		Internally this function is used when parsing certificates that contain
elliptic curve public keys in compressed form or explicit elliptic curve		elliptic curve public keys in compressed form or explicit elliptic curve
parameters with a base point encoded in compressed form.		parameters with a base point encoded in compressed form.
End of changes. 2 change blocks.
10 lines changed or deleted		36 lines changed or added

---