From 58d24ad926e3ccb30be9254cd1c7acbfac35a568 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 26 Apr 2022 14:39:34 +0100 Subject: [PATCH] Update CHANGES and NEWS for new release Reviewed-by: Tomas Mraz Release: yes --- CHANGES | 11 ++++++++++- NEWS | 5 +++-- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index 351465701b6..1c521ce3852 100644 --- a/CHANGES +++ b/CHANGES @@ -9,7 +9,16 @@ Changes between 1.1.1n and 1.1.1o [xx XXX xxxx] - *) + *) Fixed a bug in the c_rehash script which was not properly sanitising shell + metacharacters to prevent command injection. This script is distributed by + some operating systems in a manner where it is automatically executed. On + such operating systems, an attacker could execute arbitrary commands with the + privileges of the script. + + Use of the c_rehash script is considered obsolete and should be replaced + by the OpenSSL rehash command line tool. + (CVE-2022-1292) + [Tomáš Mráz] Changes between 1.1.1m and 1.1.1n [15 Mar 2022] diff --git a/NEWS b/NEWS index 8eb993087ed..7d6bec7ba90 100644 --- a/NEWS +++ b/NEWS @@ -7,12 +7,13 @@ Major changes between OpenSSL 1.1.1n and OpenSSL 1.1.1o [under development] - o + o Fixed a bug in the c_rehash script which was not properly sanitising + shell metacharacters to prevent command injection (CVE-2022-1292) Major changes between OpenSSL 1.1.1m and OpenSSL 1.1.1n [15 Mar 2022] o Fixed a bug in the BN_mod_sqrt() function that can cause it to loop - forever for non-prime moduli ([CVE-2022-0778]) + forever for non-prime moduli (CVE-2022-0778) Major changes between OpenSSL 1.1.1l and OpenSSL 1.1.1m [14 Dec 2021] -- 2.47.2