|
@@ -122,14 +122,33 @@ breaking changes, and mappings for the large list of deprecated functions.
|
|
|
|
|
|
[Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod
|
|
|
|
|
|
-### Changes between 3.0.3 and 3.0.4
|
|
|
+### Changes between 3.0.3 and 3.0.4 [21 June 2022]
|
|
|
+
|
|
|
+ * In addition to the c_rehash shell command injection identified in
|
|
|
+ CVE-2022-1292, further bugs where the c_rehash script does not
|
|
|
+ properly sanitise shell metacharacters to prevent command injection have been
|
|
|
+ fixed.
|
|
|
+
|
|
|
+ When the CVE-2022-1292 was fixed it was not discovered that there
|
|
|
+ are other places in the script where the file names of certificates
|
|
|
+ being hashed were possibly passed to a command executed through the shell.
|
|
|
+
|
|
|
+ This script is distributed by some operating systems in a manner where
|
|
|
+ it is automatically executed. On such operating systems, an attacker
|
|
|
+ could execute arbitrary commands with the privileges of the script.
|
|
|
+
|
|
|
+ Use of the c_rehash script is considered obsolete and should be replaced
|
|
|
+ by the OpenSSL rehash command line tool.
|
|
|
+ (CVE-2022-2068)
|
|
|
+
|
|
|
+ *Daniel Fiala, Tomáš Mráz*
|
|
|
|
|
|
* Case insensitive string comparison no longer uses locales. It has instead
|
|
|
been directly implemented.
|
|
|
|
|
|
*Paul Dale*
|
|
|
|
|
|
-### Changes between 3.0.2 and 3.0.3
|
|
|
+### Changes between 3.0.2 and 3.0.3 [3 May 2022]
|
|
|
|
|
|
* Case insensitive string comparison is reimplemented via new locale-agnostic
|
|
|
comparison functions OPENSSL_str[n]casecmp always using the POSIX locale for
|
|
@@ -244,7 +263,7 @@ breaking changes, and mappings for the large list of deprecated functions.
|
|
|
|
|
|
*Hugo Landau*
|
|
|
|
|
|
-### Changes between 3.0.1 and 3.0.2 [15 mar 2022]
|
|
|
+### Changes between 3.0.1 and 3.0.2 [15 Mar 2022]
|
|
|
|
|
|
* Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever
|
|
|
for non-prime moduli.
|
|
@@ -300,7 +319,7 @@ breaking changes, and mappings for the large list of deprecated functions.
|
|
|
|
|
|
*Tomáš Mráz*
|
|
|
|
|
|
-### Changes between 3.0.0 and 3.0.1 [14 dec 2021]
|
|
|
+### Changes between 3.0.0 and 3.0.1 [14 Dec 2021]
|
|
|
|
|
|
* Fixed invalid handling of X509_verify_cert() internal errors in libssl
|
|
|
Internally libssl in OpenSSL calls X509_verify_cert() on the client side to
|
|
@@ -374,7 +393,7 @@ breaking changes, and mappings for the large list of deprecated functions.
|
|
|
|
|
|
*Richard Levitte*
|
|
|
|
|
|
-### Changes between 1.1.1 and 3.0.0 [7 sep 2021]
|
|
|
+### Changes between 1.1.1 and 3.0.0 [7 Sep 2021]
|
|
|
|
|
|
* TLS_MAX_VERSION, DTLS_MAX_VERSION and DTLS_MIN_VERSION constants are now
|
|
|
deprecated.
|