zzy/openssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Updated CHANGES.md and NEWS.md for CVE-2023-0465

Browse Source 
Also updated the entries for CVE-2023-0464

Related-to: CVE-2023-0465

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20585)
This commit is contained in:
Matt Caswell 2023-03-23 15:31:25 +00:00 committed by Tomas Mraz
parent 591feddc61
commit 986f9a674d
2 changed files with 21 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
CHANGES.md
View File

@ -242,12 +242,22 @@ OpenSSL 3.1
### Changes between 3.1.0 and 3.1.1 [xx XXX xxxx] ### Changes between 3.1.0 and 3.1.1 [xx XXX xxxx]
* Fixed an issue where invalid certificate policies in leaf certificates are
silently ignored by OpenSSL and other certificate policy checks are skipped
for that certificate. A malicious CA could use this to deliberately assert
invalid certificate policies in order to circumvent policy checking on the
certificate altogether.
([CVE-2023-0465])
*Matt Caswell*
* Limited the number of nodes created in a policy tree to mitigate * Limited the number of nodes created in a policy tree to mitigate
against CVE-2023-0464. The default limit is set to 1000 nodes, which against CVE-2023-0464. The default limit is set to 1000 nodes, which
should be sufficient for most installations. If required, the limit should be sufficient for most installations. If required, the limit
can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build
time define to a desired maximum number of nodes or zero to allow time define to a desired maximum number of nodes or zero to allow
unlimited growth. unlimited growth.
([CVE-2023-0464])
*Paul Dale* *Paul Dale*
@ -19891,6 +19901,8 @@ ndif
<!-- Links --> <!-- Links -->
[CVE-2023-0465]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465
[CVE-2023-0464]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0464
[CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401 [CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401
[CVE-2023-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0286 [CVE-2023-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0286
[CVE-2023-0217]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0217 [CVE-2023-0217]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0217

10
NEWS.md
View File

@ -35,7 +35,13 @@ OpenSSL 3.2
OpenSSL 3.1 OpenSSL 3.1
----------- -----------
### Major changes between OpenSSL 3.0 and OpenSSL 3.1.0 [under development] ### Major changes between OpenSSL 3.1.0 and OpenSSL 3.1.1 [under development]
* Fixed handling of invalid certificate policies in leaf certificates
([CVE-2023-0465])
* Limited the number of nodes created in a policy tree ([CVE-2023-0464])
### Major changes between OpenSSL 3.0 and OpenSSL 3.1.0 [14 Mar 2023]
* SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 only work at security level 0. * SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 only work at security level 0.
* Performance enhancements and new platform support including new * Performance enhancements and new platform support including new
@ -1458,6 +1464,8 @@ OpenSSL 0.9.x
* Support for various new platforms * Support for various new platforms
<!-- Links --> <!-- Links -->
[CVE-2023-0465]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465
[CVE-2023-0464]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0464
[CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401 [CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401
[CVE-2023-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0286 [CVE-2023-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0286
[CVE-2023-0217]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0217 [CVE-2023-0217]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0217