From 707bd969ffcaaec36c70ea4012f7c45de6f6460e Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 26 Jan 2026 14:51:49 +0100 Subject: [PATCH] Add CHANGES and NEWS entries for the Jan 2026 security issue fixes MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Reviewed-by: Saša Nedvědický Reviewed-by: Neil Horman MergeDate: Mon Jan 26 20:05:46 2026 --- CHANGES.md | 154 +++++++++++++++++++++++++++++++++++++++++++++++++++++ NEWS.md | 40 +++++++++++++- 2 files changed, 193 insertions(+), 1 deletion(-) diff --git a/CHANGES.md b/CHANGES.md index 8b740f3dc6c..4e84662f9e7 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -30,6 +30,152 @@ breaking changes, and mappings for the large list of deprecated functions. ### Changes between 3.0.18 and 3.0.19 [xx XXX xxxx] + * Fixed Stack buffer overflow in CMS `AuthEnvelopedData` parsing. + + Severity: High + + Issue summary: Parsing CMS `AuthEnvelopedData` message with maliciously + crafted AEAD parameters can trigger a stack buffer overflow. + + Impact summary: A stack buffer overflow may lead to a crash, causing Denial + of Service, or potentially remote code execution. + + Reported by: Stanislav Fort (Aisle Research) + + ([CVE-2025-15467]) + + *Igor Ustinov* + + * Fixed Heap out-of-bounds write in `BIO_f_linebuffer` on short writes. + + Severity: Low + + Issue summary: Writing large, newline-free data into a BIO chain using the + line-buffering filter where the next BIO performs short writes can trigger + a heap-based out-of-bounds write. + + Impact summary: This out-of-bounds write can cause memory corruption + which typically results in a crash, leading to Denial of Service for + an application. + + Reported by: Petr Simecek (Aisle Research) and Stanislav Fort (Aisle + Research) + + ([CVE-2025-68160]) + + *Stanislav Fort and Neil Horman* + + * Fixed Unauthenticated/unencrypted trailing bytes with low-level OCB + function calls. + + Severity: Low + + Issue summary: When using the low-level OCB API directly with AES-NI or + other hardware-accelerated code paths, inputs whose length is not a multiple + of 16 bytes can leave the final partial block unencrypted and + unauthenticated. + + Impact summary: The trailing 1-15 bytes of a message may be exposed in + cleartext on encryption and are not covered by the authentication tag, + allowing an attacker to read or tamper with those bytes without detection. + + Reported by: Stanislav Fort (Aisle Research) + + ([CVE-2025-69418]) + + *Stanislav Fort* + + * Fixed Out of bounds write in `PKCS12_get_friendlyname()` UTF-8 conversion. + + Severity: Low + + Issue summary: Calling `PKCS12_get_friendlyname()` function on a maliciously + crafted PKCS#12 file with a `BMPString` (UTF-16BE) friendly name containing + non-ASCII BMP code point can trigger a one byte write before the allocated + buffer. + + Impact summary: The out-of-bounds write can cause a memory corruption + which can have various consequences including a Denial of Service. + + Reported by: Stanislav Fort (Aisle Research) + + ([CVE-2025-69419]) + + *Norbert Pócs* + + * Fixed Missing `ASN1_TYPE` validation in `TS_RESP_verify_response()` function. + + Severity: Low + + Issue summary: A type confusion vulnerability exists in the TimeStamp + Response verification code where an `ASN1_TYPE` union member is accessed + without first validating the type, causing an invalid or NULL pointer + dereference when processing a malformed `TimeStamp` Response file. + + Impact summary: An application calling `TS_RESP_verify_response()` + with a malformed TimeStamp Response can be caused to dereference an invalid + or NULL pointer when reading, resulting in a Denial of Service. + + Reported by: Luigino Camastra (Aisle Research) + + ([CVE-2025-69420]) + + *Bob Beck* + + * Fixed NULL Pointer Dereference in `PKCS12_item_decrypt_d2i_ex()` function. + + Severity: Low + + Issue summary: Processing a malformed PKCS#12 file can trigger a NULL + pointer dereference in the `PKCS12_item_decrypt_d2i_ex()` function. + + Impact summary: A NULL pointer dereference can trigger a crash which leads + to Denial of Service for an application processing PKCS#12 files. + + Reported by: Luigino Camastra (Aisle Research) + + ([CVE-2025-69421]) + + *Luigino Camastra* + + * Fixed Missing `ASN1_TYPE` validation in PKCS#12 parsing. + + Severity: Low + + Issue summary: An invalid or NULL pointer dereference can happen in + an application processing a malformed PKCS#12 file. + + Impact summary: An application processing a malformed PKCS#12 file can be + caused to dereference an invalid or NULL pointer on memory read, resulting + in a Denial of Service. + + Reported by: Luigino Camastra (Aisle Research) + + ([CVE-2026-22795]) + + *Bob Beck* + + * Fixed `ASN1_TYPE` Type Confusion in the `PKCS7_digest_from_attributes()` + function. + + Severity: Low + + Issue summary: A type confusion vulnerability exists in the signature + verification of signed PKCS#7 data where an `ASN1_TYPE` union member + is accessed without first validating the type, causing an invalid or NULL + pointer dereference when processing malformed PKCS#7 data. + + Impact summary: An application performing signature verification of PKCS#7 + data or calling directly the `PKCS7_digest_from_attributes()` function can be + caused to dereference an invalid or NULL pointer when reading, resulting in + a Denial of Service. + + Reported by: Luigino Camastra (Aisle Research) + + ([CVE-2026-22796]) + + *Bob Beck* + * Fixed incorrect acceptance of some malformed ECDSA signatures on s390x. @@ -20060,6 +20206,14 @@ ndif +[CVE-2026-22796]: https://www.openssl.org/news/vulnerabilities.html#CVE-2026-22796 +[CVE-2026-22795]: https://www.openssl.org/news/vulnerabilities.html#CVE-2026-22795 +[CVE-2025-69421]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-69421 +[CVE-2025-69420]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-69420 +[CVE-2025-69419]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-69419 +[CVE-2025-69418]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-69418 +[CVE-2025-68160]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-68160 +[CVE-2025-15467]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-15467 [CVE-2025-9232]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-9232 [CVE-2025-9230]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-9230 [CVE-2024-13176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176 diff --git a/NEWS.md b/NEWS.md index 7b0d9782fa7..3b2b437b022 100644 --- a/NEWS.md +++ b/NEWS.md @@ -20,7 +20,37 @@ OpenSSL 3.0 ### Major changes between OpenSSL 3.0.18 and OpenSSL 3.0.19 [under development] - * none +OpenSSL 3.0.19 is a security patch release. The most severe CVE fixed in this +release is High. + +This release incorporates the following bug fixes and mitigations: + + * Fixed Stack buffer overflow in CMS `AuthEnvelopedData` parsing. + ([CVE-2025-15467]) + + * Fixed Heap out-of-bounds write in `BIO_f_linebuffer` on short writes. + ([CVE-2025-68160]) + + * Fixed Unauthenticated/unencrypted trailing bytes with low-level OCB + function calls. + ([CVE-2025-69418]) + + * Fixed Out of bounds write in `PKCS12_get_friendlyname()` UTF-8 conversion. + ([CVE-2025-69419]) + + * Fixed Missing `ASN1_TYPE` validation in `TS_RESP_verify_response()` + function. + ([CVE-2025-69420]) + + * Fixed NULL Pointer Dereference in `PKCS12_item_decrypt_d2i_ex()` function. + ([CVE-2025-69421]) + + * Fixed Missing `ASN1_TYPE` validation in PKCS#12 parsing. + ([CVE-2026-22795]) + + * Fixed `ASN1_TYPE` Type Confusion in the `PKCS7_digest_from_attributes()` + function. + ([CVE-2026-22796]) ### Major changes between OpenSSL 3.0.17 and OpenSSL 3.0.18 [30 Sep 2025] @@ -1535,6 +1565,14 @@ OpenSSL 0.9.x * Support for various new platforms +[CVE-2026-22796]: https://www.openssl.org/news/vulnerabilities.html#CVE-2026-22796 +[CVE-2026-22795]: https://www.openssl.org/news/vulnerabilities.html#CVE-2026-22795 +[CVE-2025-69421]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-69421 +[CVE-2025-69420]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-69420 +[CVE-2025-69419]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-69419 +[CVE-2025-69418]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-69418 +[CVE-2025-68160]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-68160 +[CVE-2025-15467]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-15467 [CVE-2025-9232]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-9232 [CVE-2025-9230]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-9230 [CVE-2024-13176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176 -- 2.47.3