Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP1:GA
openssl-1_0_0.35258
openssl-CVE-2023-0466.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File openssl-CVE-2023-0466.patch of Package openssl-1_0_0.35258
From bccf26f7c3b921be8946bfdd1b2de48fea96f90d Mon Sep 17 00:00:00 2001 From: Tomas Mraz <tomas@openssl.org> Date: Tue, 21 Mar 2023 16:15:47 +0100 Subject: [PATCH] Fix documentation of X509_VERIFY_PARAM_add0_policy() The function was incorrectly documented as enabling policy checking. Fixes: CVE-2023-0466 --- CHANGES | 5 +++++ NEWS | 1 + doc/crypto/X509_VERIFY_PARAM_set_flags.pod | 9 +++++++-- 3 files changed, 13 insertions(+), 2 deletions(-) --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,11 @@ Changes between 1.0.2o and 1.0.2p [14 Aug 2018] + *) Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention + that it does not enable policy checking. Thanks to + David Benjamin for discovering this issue. (CVE-2023-0466) + [Tomas Mraz] + *) Fixed an issue where invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert --- a/NEWS +++ b/NEWS @@ -7,6 +7,7 @@ Major changes between OpenSSL 1.0.2o and OpenSSL 1.0.2p [14 Aug 2018] + o Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466) o Fixed handling of invalid certificate policies in leaf certificates (CVE-2023-0465) o Limited the number of nodes created in a policy tree ([CVE-2023-0464]) --- a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod +++ b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod @@ -62,8 +62,9 @@ B<trust>. X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to B<t>. Normally the current time is used. -X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled -by default) and adds B<policy> to the acceptable policy set. +X509_VERIFY_PARAM_add0_policy() adds B<policy> to the acceptable policy set. +Contrary to preexisting documentation of this function it does not enable +policy checking. X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled by default) and sets the acceptable policy set to B<policies>. Any existing @@ -224,6 +225,10 @@ becomes the trust-anchor. Thus, even when an intermediate certificate is found in the trust store, the verified chain passed to callbacks may still be anchored by a root CA. +The function X509_VERIFY_PARAM_add0_policy() was historically documented as +enabling policy checking however the implementation has never done this. +The documentation was changed to align with the implementation. + =head1 NOTES The above functions should be used to manipulate verification parameters
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor