diff options
author | Andre Heider <a.heider@gmail.com> | 2022-06-23 09:08:07 +0200 |
---|---|---|
committer | Hauke Mehrtens <hauke@hauke-m.de> | 2022-07-04 23:40:43 +0200 |
commit | 5c7aed8b1e7336686860479cc6f0716ca6bf7016 (patch) | |
tree | 8884fb99c743ed6326a7b5868d79dc73ad1eb666 /LICENSES | |
parent | 6b78bf1fd8038d6dbbfc3adf382ea3dca9485ff6 (diff) | |
download | upstream-5c7aed8b1e7336686860479cc6f0716ca6bf7016.tar.gz upstream-5c7aed8b1e7336686860479cc6f0716ca6bf7016.tar.bz2 upstream-5c7aed8b1e7336686860479cc6f0716ca6bf7016.zip |
openssl: bump to 1.1.1p
Changes between 1.1.1o and 1.1.1p [21 Jun 2022]
*) In addition to the c_rehash shell command injection identified in
CVE-2022-1292, further bugs where the c_rehash script does not
properly sanitise shell metacharacters to prevent command injection have been
fixed.
When the CVE-2022-1292 was fixed it was not discovered that there
are other places in the script where the file names of certificates
being hashed were possibly passed to a command executed through the shell.
This script is distributed by some operating systems in a manner where
it is automatically executed. On such operating systems, an attacker
could execute arbitrary commands with the privileges of the script.
Use of the c_rehash script is considered obsolete and should be replaced
by the OpenSSL rehash command line tool.
(CVE-2022-2068)
[Daniel Fiala, Tomáš Mráz]
*) When OpenSSL TLS client is connecting without any supported elliptic
curves and TLS-1.3 protocol is disabled the connection will no longer fail
if a ciphersuite that does not use a key exchange based on elliptic
curves can be negotiated.
[Tomáš Mráz]
Signed-off-by: Andre Heider <a.heider@gmail.com>
(cherry picked from commit eb7d2abbf06f0a3fe700df5dc6b57ee90016f1f1)
Diffstat (limited to 'LICENSES')
0 files changed, 0 insertions, 0 deletions