Changes between 1.1.1t and 1.1.1u [xx XXX xxxx]
+ *) Fixed an issue where invalid certificate policies in leaf certificates are
+ silently ignored by OpenSSL and other certificate policy checks are skipped
+ for that certificate. A malicious CA could use this to deliberately assert
+ invalid certificate policies in order to circumvent policy checking on the
+ certificate altogether. (CVE-2023-0465)
+ [Matt Caswell]
+
*) Limited the number of nodes created in a policy tree to mitigate
against CVE-2023-0464. The default limit is set to 1000 nodes, which
should be sufficient for most installations. If required, the limit
can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build
time define to a desired maximum number of nodes or zero to allow
- unlimited growth.
+ unlimited growth. (CVE-2023-0464)
[Paul Dale]
Changes between 1.1.1s and 1.1.1t [7 Feb 2023]
Major changes between OpenSSL 1.1.1t and OpenSSL 1.1.1u [under development]
- o
+ o Fixed handling of invalid certificate policies in leaf certificates
+ (CVE-2023-0465)
+ o Limited the number of nodes created in a policy tree ([CVE-2023-0464])
Major changes between OpenSSL 1.1.1s and OpenSSL 1.1.1t [7 Feb 2023]