Update CHANGES and NEWS for new release

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes

diff --git a/CHANGES b/CHANGES
index 122d97905736cf56057ec0a6baf2320a3748b090..bf1a6800ccc86389fd8973c71c41de61aaaeae2d 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,24 @@
 
  Changes between 1.1.1o and 1.1.1p [xx XXX xxxx]
 
+  *) In addition to the c_rehash shell command injection identified in
+     CVE-2022-1292, further bugs where the c_rehash script does not
+     properly sanitise shell metacharacters to prevent command injection have been
+     fixed.
+
+     When the CVE-2022-1292 was fixed it was not discovered that there
+     are other places in the script where the file names of certificates
+     being hashed were possibly passed to a command executed through the shell.
+
+     This script is distributed by some operating systems in a manner where
+     it is automatically executed.  On such operating systems, an attacker
+     could execute arbitrary commands with the privileges of the script.
+
+     Use of the c_rehash script is considered obsolete and should be replaced
+     by the OpenSSL rehash command line tool.
+     (CVE-2022-2068)
+     [Daniel Fiala, Tomáš Mráz]
+
   *) When OpenSSL TLS client is connecting without any supported elliptic
      curves and TLS-1.3 protocol is disabled the connection will no longer fail
      if a ciphersuite that does not use a key exchange based on elliptic

diff --git a/NEWS b/NEWS
index 31a0ccc9157ad4407daa2c585aacc1a017894a7c..39a9e84554c48fe321c1d09f169bee5b8b838315 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -7,7 +7,9 @@
 
   Major changes between OpenSSL 1.1.1o and OpenSSL 1.1.1p [under development]
 
-      o
+      o Fixed additional bugs in the c_rehash script which was not properly
+        sanitising shell metacharacters to prevent command injection
+        (CVE-2022-2068)
 
   Major changes between OpenSSL 1.1.1n and OpenSSL 1.1.1o [3 May 2022]