Changes between 1.1.1o and 1.1.1p [xx XXX xxxx]
+ *) In addition to the c_rehash shell command injection identified in
+ CVE-2022-1292, further bugs where the c_rehash script does not
+ properly sanitise shell metacharacters to prevent command injection have been
+ fixed.
+
+ When the CVE-2022-1292 was fixed it was not discovered that there
+ are other places in the script where the file names of certificates
+ being hashed were possibly passed to a command executed through the shell.
+
+ This script is distributed by some operating systems in a manner where
+ it is automatically executed. On such operating systems, an attacker
+ could execute arbitrary commands with the privileges of the script.
+
+ Use of the c_rehash script is considered obsolete and should be replaced
+ by the OpenSSL rehash command line tool.
+ (CVE-2022-2068)
+ [Daniel Fiala, Tomáš Mráz]
+
*) When OpenSSL TLS client is connecting without any supported elliptic
curves and TLS-1.3 protocol is disabled the connection will no longer fail
if a ciphersuite that does not use a key exchange based on elliptic
Major changes between OpenSSL 1.1.1o and OpenSSL 1.1.1p [under development]
- o
+ o Fixed additional bugs in the c_rehash script which was not properly
+ sanitising shell metacharacters to prevent command injection
+ (CVE-2022-2068)
Major changes between OpenSSL 1.1.1n and OpenSSL 1.1.1o [3 May 2022]