Skip to content

OpenSSL 3.0.4
Compare
Choose a tag to compare
@philyuchkoff philyuchkoff released this 27 Jun 07:48
· 84 commits to master since this release
3.0.4
f3e52fb
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Changes between 3.0.3 and 3.0.4 [21 Jun 2022]

  • In addition to the c_rehash shell command injection identified in
    CVE-2022-1292, further bugs where the c_rehash script does not
    properly sanitise shell metacharacters to prevent command injection have been
    fixed.

    When the CVE-2022-1292 was fixed it was not discovered that there
    are other places in the script where the file names of certificates
    being hashed were possibly passed to a command executed through the shell.

    This script is distributed by some operating systems in a manner where
    it is automatically executed. On such operating systems, an attacker
    could execute arbitrary commands with the privileges of the script.

    Use of the c_rehash script is considered obsolete and should be replaced
    by the OpenSSL rehash command line tool.
    (CVE-2022-2068)

    Daniel Fiala, Tomáš Mráz

  • Case insensitive string comparison no longer uses locales. It has instead
    been directly implemented.

    Paul Dale

Assets 3
Loading