From: Matt Caswell Date: Thu, 23 Mar 2023 15:31:25 +0000 (+0000) Subject: Updated CHANGES and NEWS for CVE-2023-0465 X-Git-Tag: OpenSSL_1_1_1u~16 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8bc232b14624b7af01801d7940b7dec59b3ae47d;p=thirdparty%2Fopenssl.git Updated CHANGES and NEWS for CVE-2023-0465 Also updated the entries for CVE-2023-0464 Related-to: CVE-2023-0465 Reviewed-by: Hugo Landau Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/20588) --- diff --git a/CHANGES b/CHANGES index 17caf6775bf..efccf7838e6 100644 --- a/CHANGES +++ b/CHANGES @@ -9,12 +9,19 @@ Changes between 1.1.1t and 1.1.1u [xx XXX xxxx] + *) Fixed an issue where invalid certificate policies in leaf certificates are + silently ignored by OpenSSL and other certificate policy checks are skipped + for that certificate. A malicious CA could use this to deliberately assert + invalid certificate policies in order to circumvent policy checking on the + certificate altogether. (CVE-2023-0465) + [Matt Caswell] + *) Limited the number of nodes created in a policy tree to mitigate against CVE-2023-0464. The default limit is set to 1000 nodes, which should be sufficient for most installations. If required, the limit can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build time define to a desired maximum number of nodes or zero to allow - unlimited growth. + unlimited growth. (CVE-2023-0464) [Paul Dale] Changes between 1.1.1s and 1.1.1t [7 Feb 2023] diff --git a/NEWS b/NEWS index 8a18516d860..36a9bb6890b 100644 --- a/NEWS +++ b/NEWS @@ -7,7 +7,9 @@ Major changes between OpenSSL 1.1.1t and OpenSSL 1.1.1u [under development] - o + o Fixed handling of invalid certificate policies in leaf certificates + (CVE-2023-0465) + o Limited the number of nodes created in a policy tree ([CVE-2023-0464]) Major changes between OpenSSL 1.1.1s and OpenSSL 1.1.1t [7 Feb 2023]