Home Explore Help
Register Sign In
OWEALs
/
openssl
mirror of git://git.openssl.org/openssl.git
2
0
Fork 1
Files Issues 1 Wiki
Browse Source

Update CHANGES.md and NEWS.md for new release

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Release: yes
Matt Caswell 1 year ago
parent
87eee75010
commit
de85a9de3f
2 changed files with 31 additions and 6 deletions
Split View Show Diff Stats
  1. 24 5
      CHANGES.md
  2. 7 1
      NEWS.md

+ 24 - 5
CHANGES.md
View File 

@@ -122,14 +122,33 @@ breaking changes, and mappings for the large list of deprecated functions.
 
 
 [Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod
 
 
-### Changes between 3.0.3 and 3.0.4
 
+### Changes between 3.0.3 and 3.0.4 [21 June 2022]
 
+
 
+ * In addition to the c_rehash shell command injection identified in
 
+   CVE-2022-1292, further bugs where the c_rehash script does not
 
+   properly sanitise shell metacharacters to prevent command injection have been
 
+   fixed.
 
+
 
+   When the CVE-2022-1292 was fixed it was not discovered that there
 
+   are other places in the script where the file names of certificates
 
+   being hashed were possibly passed to a command executed through the shell.
 
+
 
+   This script is distributed by some operating systems in a manner where
 
+   it is automatically executed.  On such operating systems, an attacker
 
+   could execute arbitrary commands with the privileges of the script.
 
+
 
+   Use of the c_rehash script is considered obsolete and should be replaced
 
+   by the OpenSSL rehash command line tool.
 
+   (CVE-2022-2068)
 
+
 
+   *Daniel Fiala, Tomáš Mráz*
 
 
  * Case insensitive string comparison no longer uses locales.  It has instead
 
    been directly implemented.
 
 
    *Paul Dale*
 
 
-### Changes between 3.0.2 and 3.0.3
 
+### Changes between 3.0.2 and 3.0.3 [3 May 2022]
 
 
  * Case insensitive string comparison is reimplemented via new locale-agnostic
 
    comparison functions OPENSSL_str[n]casecmp always using the POSIX locale for
 
@@ -244,7 +263,7 @@ breaking changes, and mappings for the large list of deprecated functions.
 
 
    *Hugo Landau*
 
 
-### Changes between 3.0.1 and 3.0.2 [15 mar 2022]
 
+### Changes between 3.0.1 and 3.0.2 [15 Mar 2022]
 
 
  * Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever
 
    for non-prime moduli.
 
@@ -300,7 +319,7 @@ breaking changes, and mappings for the large list of deprecated functions.
 
 
    *Tomáš Mráz*
 
 
-### Changes between 3.0.0 and 3.0.1 [14 dec 2021]
 
+### Changes between 3.0.0 and 3.0.1 [14 Dec 2021]
 
 
  * Fixed invalid handling of X509_verify_cert() internal errors in libssl
 
    Internally libssl in OpenSSL calls X509_verify_cert() on the client side to
 
@@ -374,7 +393,7 @@ breaking changes, and mappings for the large list of deprecated functions.
 
 
    *Richard Levitte*
 
 
-### Changes between 1.1.1 and 3.0.0 [7 sep 2021]
 
+### Changes between 1.1.1 and 3.0.0 [7 Sep 2021]
 
 
  * TLS_MAX_VERSION, DTLS_MAX_VERSION and DTLS_MIN_VERSION constants are now
 
    deprecated.

+ 7 - 1
NEWS.md
View File 

@@ -30,7 +30,13 @@ OpenSSL 3.1
 
 OpenSSL 3.0
 
 -----------
 
 
-### Major changes between OpenSSL 3.0.2 and OpenSSL 3.0.3
 
+### Major changes between OpenSSL 3.0.3 and OpenSSL 3.0.4 [21 Jun 2022]
 
+
 
+  * Fixed additional bugs in the c_rehash script which was not properly
 
+    sanitising shell metacharacters to prevent command injection
 
+    ([CVE-2022-2068])
 
+
 
+### Major changes between OpenSSL 3.0.2 and OpenSSL 3.0.3 [3 May 2022]
 
 
   * Fixed a bug in the c_rehash script which was not properly sanitising shell
 
     metacharacters to prevent command injection ([CVE-2022-1292])