Update CHANGES and NEWS for new release

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes

diff --git a/CHANGES b/CHANGES
index 351465701b683775620cc8456b55d8464388230a..1c521ce38526b861e931a3a6695698c6168fc226 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -9,7 +9,16 @@
 
  Changes between 1.1.1n and 1.1.1o [xx XXX xxxx]
 
-  *)
+  *) Fixed a bug in the c_rehash script which was not properly sanitising shell
+    metacharacters to prevent command injection.  This script is distributed by
+    some operating systems in a manner where it is automatically executed.  On
+    such operating systems, an attacker could execute arbitrary commands with the
+    privileges of the script.
+
+    Use of the c_rehash script is considered obsolete and should be replaced
+    by the OpenSSL rehash command line tool.
+    (CVE-2022-1292)
+    [Tomáš Mráz]
 
  Changes between 1.1.1m and 1.1.1n [15 Mar 2022]
 

diff --git a/NEWS b/NEWS
index 8eb993087ed3debd6ea01d9732fd251f77192cbe..7d6bec7ba9010e059500cebcbed8d114d17d0eb4 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -7,12 +7,13 @@
 
   Major changes between OpenSSL 1.1.1n and OpenSSL 1.1.1o [under development]
 
-      o
+      o Fixed a bug in the c_rehash script which was not properly sanitising
+        shell metacharacters to prevent command injection (CVE-2022-1292)
 
   Major changes between OpenSSL 1.1.1m and OpenSSL 1.1.1n [15 Mar 2022]
 
       o Fixed a bug in the BN_mod_sqrt() function that can cause it to loop
-        forever for non-prime moduli ([CVE-2022-0778])
+        forever for non-prime moduli (CVE-2022-0778)
 
   Major changes between OpenSSL 1.1.1l and OpenSSL 1.1.1m [14 Dec 2021]