diff options
author | Matt Caswell <matt@openssl.org> | 2023-03-23 15:31:25 +0000 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2023-03-28 13:45:14 +0200 |
commit | 07d8baf3367cbbf81877510e5102e6193da4bfe7 (patch) | |
tree | ce964d9b5021fad9e80c8da846658ec04030553c /CHANGES.md | |
parent | e8c359e51ff3372a19a784a8c865f1472774f181 (diff) | |
download | openssl-07d8baf3367cbbf81877510e5102e6193da4bfe7.zip openssl-07d8baf3367cbbf81877510e5102e6193da4bfe7.tar.gz openssl-07d8baf3367cbbf81877510e5102e6193da4bfe7.tar.bz2 |
Updated CHANGES.md and NEWS.md for CVE-2023-0465
Also updated the entries for CVE-2023-0464
Related-to: CVE-2023-0465
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20586)
Diffstat (limited to 'CHANGES.md')
-rw-r--r-- | CHANGES.md | 12 |
1 files changed, 12 insertions, 0 deletions
@@ -24,12 +24,22 @@ OpenSSL 3.1 ### Changes between 3.1.0 and 3.1.1 [xx XXX xxxx] + * Fixed an issue where invalid certificate policies in leaf certificates are + silently ignored by OpenSSL and other certificate policy checks are skipped + for that certificate. A malicious CA could use this to deliberately assert + invalid certificate policies in order to circumvent policy checking on the + certificate altogether. + ([CVE-2023-0465]) + + *Matt Caswell* + * Limited the number of nodes created in a policy tree to mitigate against CVE-2023-0464. The default limit is set to 1000 nodes, which should be sufficient for most installations. If required, the limit can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build time define to a desired maximum number of nodes or zero to allow unlimited growth. + ([CVE-2023-0464]) *Paul Dale* @@ -19689,6 +19699,8 @@ ndif <!-- Links --> +[CVE-2023-0465]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465 +[CVE-2023-0464]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0464 [CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401 [CVE-2023-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0286 [CVE-2023-0217]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0217 |