mirror of
https://github.com/openssl/openssl.git
synced 2024-11-23 18:13:39 +08:00
Update CHANGES.md and NEWS.md from 3.0.7
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19565)
This commit is contained in:
parent
858b5d12b8
commit
e0fbaf2a4a
64
CHANGES.md
64
CHANGES.md
@ -24,16 +24,6 @@ OpenSSL 3.2
|
||||
|
||||
### Changes between 3.0 and 3.2 [xx XXX xxxx]
|
||||
|
||||
* Removed all references to invalid OSSL_PKEY_PARAM_RSA names for CRT parameters
|
||||
in OpenSSL code.
|
||||
Applications should not use the names OSSL_PKEY_PARAM_RSA_FACTOR,
|
||||
OSSL_PKEY_PARAM_RSA_EXPONENT and OSSL_PKEY_PARAM_RSA_COEFFICIENT.
|
||||
Use the numbered names such as OSSL_PKEY_PARAM_RSA_FACTOR1 instead.
|
||||
Using these invalid names may cause algorithms to use slower methods
|
||||
that ignore the CRT parameters.
|
||||
|
||||
*Shane Lontis*
|
||||
|
||||
* Add support for certificate compression (RFC8879), including
|
||||
library support for Brotli and Zstandard compression.
|
||||
|
||||
@ -246,12 +236,64 @@ breaking changes, and mappings for the large list of deprecated functions.
|
||||
|
||||
[Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod
|
||||
|
||||
### Changes between 3.0.6 and 3.0.7 [xx XXX xxxx]
|
||||
### Changes between 3.0.6 and 3.0.7 [1 Nov 2022]
|
||||
|
||||
* Fixed two buffer overflows in punycode decoding functions.
|
||||
|
||||
A buffer overrun can be triggered in X.509 certificate verification,
|
||||
specifically in name constraint checking. Note that this occurs after
|
||||
certificate chain signature verification and requires either a CA to
|
||||
have signed the malicious certificate or for the application to continue
|
||||
certificate verification despite failure to construct a path to a trusted
|
||||
issuer.
|
||||
|
||||
In a TLS client, this can be triggered by connecting to a malicious
|
||||
server. In a TLS server, this can be triggered if the server requests
|
||||
client authentication and a malicious client connects.
|
||||
|
||||
An attacker can craft a malicious email address to overflow
|
||||
an arbitrary number of bytes containing the `.` character (decimal 46)
|
||||
on the stack. This buffer overflow could result in a crash (causing a
|
||||
denial of service).
|
||||
([CVE-2022-3786])
|
||||
|
||||
An attacker can craft a malicious email address to overflow four
|
||||
attacker-controlled bytes on the stack. This buffer overflow could
|
||||
result in a crash (causing a denial of service) or potentially remote code
|
||||
execution depending on stack layout for any given platform/compiler.
|
||||
([CVE-2022-3602])
|
||||
|
||||
*Paul Dale*
|
||||
|
||||
* Removed all references to invalid OSSL_PKEY_PARAM_RSA names for CRT
|
||||
parameters in OpenSSL code.
|
||||
Applications should not use the names OSSL_PKEY_PARAM_RSA_FACTOR,
|
||||
OSSL_PKEY_PARAM_RSA_EXPONENT and OSSL_PKEY_PARAM_RSA_COEFFICIENT.
|
||||
Use the numbered names such as OSSL_PKEY_PARAM_RSA_FACTOR1 instead.
|
||||
Using these invalid names may cause algorithms to use slower methods
|
||||
that ignore the CRT parameters.
|
||||
|
||||
*Shane Lontis*
|
||||
|
||||
* Fixed a regression introduced in 3.0.6 version raising errors on some stack
|
||||
operations.
|
||||
|
||||
*Tomáš Mráz*
|
||||
|
||||
* Fixed a regression introduced in 3.0.6 version not refreshing the certificate
|
||||
data to be signed before signing the certificate.
|
||||
|
||||
*Gibeom Gwon*
|
||||
|
||||
* Added RIPEMD160 to the default provider.
|
||||
|
||||
*Paul Dale*
|
||||
|
||||
* Ensured that the key share group sent or accepted for the key exchange
|
||||
is allowed for the protocol version.
|
||||
|
||||
*Matt Caswell*
|
||||
|
||||
### Changes between 3.0.5 and 3.0.6 [11 Oct 2022]
|
||||
|
||||
* OpenSSL supports creating a custom cipher via the legacy
|
||||
|
7
NEWS.md
7
NEWS.md
@ -32,6 +32,13 @@ OpenSSL 3.2
|
||||
OpenSSL 3.0
|
||||
-----------
|
||||
|
||||
### Major changes between OpenSSL 3.0.6 and OpenSSL 3.0.7 [1 Nov 2022]
|
||||
|
||||
* Added RIPEMD160 to the default provider.
|
||||
* Fixed regressions introduced in 3.0.6 version.
|
||||
* Fixed two buffer overflows in punycode decoding functions.
|
||||
([CVE-2022-3786]) and ([CVE-2022-3602])
|
||||
|
||||
### Major changes between OpenSSL 3.0.5 and OpenSSL 3.0.6 [11 Oct 2022]
|
||||
|
||||
* Fix for custom ciphers to prevent accidental use of NULL encryption
|
||||
|
Loading…
Reference in New Issue
Block a user