OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [21 June 2022] The c_rehash script allows command injection (CVE-2022-2068) Severity: Moderate In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. OpenSSL 1.0.2 users should upgrade to 1.0.2zf (premium support customers only) OpenSSL 1.1.1 users should upgrade to 1.1.1p OpenSSL 3.0 users should upgrade to 3.0.4 This issue was reported to OpenSSL on the 20th May 2022. It was found by Chancen of Qingteng 73lab. A further instance of the issue was found by Daniel Fiala of OpenSSL during a code review of the script. The fix for these issues was developed by Daniel Fiala and Tomas Mraz from OpenSSL. Note OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended support is available for premium support customers: https://www.openssl.org/support/contracts.html OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind. The impact of these issues on OpenSSL 1.1.0 has not been analysed. Users of these versions should upgrade to OpenSSL 3.0 or 1.1.1. References == URL for this Security Advisory: https://www.openssl.org/news/secadv/20220621.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmKx1vMACgkQ2cTSbQ5g RJFo3gf/XY0cjt1lXtTrGBGu5lDf6Gou7USlUy4lo0wQwkHJ11b2PDxINS+xGNzp GoOSxCGcQEPrUPkQTwbTtVxSDKuIkQmQG0py155zUrKzsRTad3rIsHy+NzfweBW+ RSwTYZT702J5XRMkeaLhzqG2WY5fxibydaKRKIU2IcyvOQP4tEdrRBQ1taaYKORG ZZmlcL8Et96YgbFDotLJAeZQ9nbOnHEti7zGCvp48klOqc4llH+0QnHmRsJFxO2F QHNd0ZUsb0gzVajEOz1rBEIotS4tYDltRCkgJz7evJSPrXrbbacXflfHGsveWjgw h8Wr4I7UK1liE3lmb5LuW/BXf7CAQg== =31ys -END PGP SIGNATURE-
OpenSSL version 3.0.4 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 3.0.4 released == OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 3.0.4 of our open source toolkit for SSL/TLS. For details of the changes, see the release notes at: https://www.openssl.org/news/openssl-3.0-notes.html Specific notes on upgrading to OpenSSL 3.0 from previous versions are available in the OpenSSL Migration Guide, here: https://www.openssl.org/docs/man3.0/man7/migration_guide.html OpenSSL 3.0.4 is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.0.4.tar.gz Size: 15069605 SHA1 checksum: cde0c343646ce10600e6b28fc7000e9096e7959f SHA256 checksum: 2831843e9a668a0ab478e7020ad63d2d65e51f72977472dc73efcefbafc0c00f The checksums were calculated using the following commands: openssl sha1 openssl-3.0.4.tar.gz openssl sha256 openssl-3.0.4.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmKxyBUACgkQ2cTSbQ5g RJEQbgf+OKc54bvXn9b9y6HsTIO5mRr1DqVzSkg8l6UC3T2TJSTDIQJVp0JaQmMr xNo6v/jYq+ZSVyX6lIa0+0YukJsnvlhaUc857KuuqnS6plBA7K5RIeUhjC2MZayw XSjAw3styH45l8Mm3v0R4s9pGySUC0h3t1mLwcJ+gv1XgQYbDxqWUabsLPoeDRJz j3Ph10KvSPBDNR9FxYwK0BGhkuPkz4bZaNXJgd5MJCBF+0inUr+owDdprIAARve+ hiP+qBFIfQsokbJDbn7hQ5OB5LyQRLekvNUb3euaKSTlc2xpmsyoVIgLtCrAWp5F DMinUzLD+q+/YgW/g4i3vFepc7R7Tw== =vtQZ -END PGP SIGNATURE-
OpenSSL version 1.1.1p published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 1.1.1p released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.1.1p of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.1-notes.html OpenSSL 1.1.1p is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.1p.tar.gz Size: 9860217 SHA1 checksum: 707daabab923ef2d9f05fdb8e0664944be7f5eba SHA256 checksum: bf61b62aaa66c7c7639942a94de4c9ae8280c08f17d4eac2e44644d9fc8ace6f The checksums were calculated using the following commands: openssl sha1 openssl-1.1.1p.tar.gz openssl sha256 openssl-1.1.1p.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmKxyiAACgkQ2cTSbQ5g RJGpiAgAp0GN7gCRELpsJNvHnvuwwgOxUx3ata0EhCKfmj2tpJLQ3E+ImnuQBs5m +EDaOwRSTNORqJguy+BLlez1ySTAK9Pce8AHAYiC0VaUE18Y7X3S/E4t1sEjmHLl LxQi8DHEwIpuYe3ITO881cZ26tGo4gflrpqwVWPT1aqfRExguNY3GAzJIEMxDHNb oGsRH2sEMTBhR/ToLRV+ryr9L5rB7i29lSAT9GTPNCHko/j30cJ+9l1b2UehkZay N2oJu/2nvXORcXbLDY5m4jiBwfTQNMzGrAjtz/LLDqnFhC79gUPui90Q53o8EmSJ kJAF+DR1hZM9xnsgGZp+WSLrf1pfKw== =iyXg -END PGP SIGNATURE-
