Skip to content

Commit

Permalink
Update CHANGES.md and NEWS.md for new release
Browse files Browse the repository at this point in the history 
Release: yes
  • Loading branch information
@mattcaswell
mattcaswell committed Jan 29, 2024
1 parent 024731b commit fa2cbe8
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 0 deletions.
20 changes: 20 additions & 0 deletions CHANGES.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,25 @@ OpenSSL 3.1

### Changes between 3.1.4 and 3.1.5 [xx XXX xxxx]

* A file in PKCS12 format can contain certificates and keys and may come from
an untrusted source. The PKCS12 specification allows certain fields to be
NULL, but OpenSSL does not correctly check for this case. This can lead to a
NULL pointer dereference that results in OpenSSL crashing. If an application
processes PKCS12 files from an untrusted source using the OpenSSL APIs then
that application will be vulnerable to this issue.

OpenSSL APIs that are vulnerable to this are: PKCS12_parse(),
PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()
and PKCS12_newpass().

We have also fixed a similar issue in SMIME_write_PKCS7(). However since this
function is related to writing data we do not consider it security
significant.

([CVE-2024-0727])

*Matt Caswell*

* When function EVP_PKEY_public_check() is called on RSA public keys,
a computation is done to confirm that the RSA modulus, n, is composite.
For valid RSA keys, n is a product of two or more large primes and this
Expand Down Expand Up @@ -19928,6 +19947,7 @@ ndif

<!-- Links -->

[CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
[CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237
[CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129
[CVE-2023-5678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5678
Expand Down
3 changes: 3 additions & 0 deletions NEWS.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,8 @@ OpenSSL 3.1

### Major changes between OpenSSL 3.1.4 and OpenSSL 3.1.5 [under development]

* Fixed PKCS12 Decoding crashes
([CVE-2024-0727])
* Fixed Excessive time spent checking invalid RSA public keys
([CVE-2023-6237])
* Fixed POLY1305 MAC implementation corrupting vector registers on PowerPC
Expand Down Expand Up @@ -1484,6 +1486,7 @@ OpenSSL 0.9.x

<!-- Links -->

[CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
[CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237
[CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129
[CVE-2023-5678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5678
Expand Down

0 comments on commit fa2cbe8

Please sign in to comment.