Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
Please login to access the resource
SUSE:SLE-15-SP7:GA
openssl-3.35843
openssl-CVE-2023-0466.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File openssl-CVE-2023-0466.patch of Package openssl-3.35843
From f079bca52e6abf58d32cc003f32a3ab3c6781f44 Mon Sep 17 00:00:00 2001 From: Tomas Mraz <tomas@openssl.org> Date: Tue, 21 Mar 2023 16:15:47 +0100 Subject: [PATCH] Fix documentation of X509_VERIFY_PARAM_add0_policy() The function was incorrectly documented as enabling policy checking. Fixes: CVE-2023-0466 --- CHANGES.md | 8 ++++++++ NEWS.md | 2 ++ doc/man3/X509_VERIFY_PARAM_set_flags.pod | 9 +++++++-- 3 files changed, 17 insertions(+), 2 deletions(-) --- a/CHANGES.md +++ b/CHANGES.md @@ -30,6 +30,13 @@ breaking changes, and mappings for the l ### Changes between 3.0.7 and 3.0.8 [7 Feb 2023] + * Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention + that it does not enable policy checking. Thanks to David Benjamin for + discovering this issue. + ([CVE-2023-0466]) + + *Tomáš Mráz* + * Fixed an issue where invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert @@ -19597,6 +19604,7 @@ ndif <!-- Links --> +[CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466 [CVE-2023-0465]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465 [CVE-2023-0464]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0464 [CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401 --- a/NEWS.md +++ b/NEWS.md @@ -20,6 +20,7 @@ OpenSSL 3.0 ### Major changes between OpenSSL 3.0.7 and OpenSSL 3.0.8 [7 Feb 2023] + * Fixed documentation of X509_VERIFY_PARAM_add0_policy() ([CVE-2023-0466]) * Fixed handling of invalid certificate policies in leaf certificates ([CVE-2023-0465]) * Limited the number of nodes created in a policy tree ([CVE-2023-0464]) @@ -1433,6 +1434,7 @@ OpenSSL 0.9.x * Support for various new platforms <!-- Links --> +[CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466 [CVE-2023-0465]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465 [CVE-2023-0464]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0464 [CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401 --- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod +++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod @@ -98,8 +98,9 @@ B<trust>. X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to B<t>. Normally the current time is used. -X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled -by default) and adds B<policy> to the acceptable policy set. +X509_VERIFY_PARAM_add0_policy() adds B<policy> to the acceptable policy set. +Contrary to preexisting documentation of this function it does not enable +policy checking. X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled by default) and sets the acceptable policy set to B<policies>. Any existing @@ -400,6 +401,10 @@ The X509_VERIFY_PARAM_get_hostflags() fu The X509_VERIFY_PARAM_get0_host(), X509_VERIFY_PARAM_get0_email(), and X509_VERIFY_PARAM_get1_ip_asc() functions were added in OpenSSL 3.0. +The function X509_VERIFY_PARAM_add0_policy() was historically documented as +enabling policy checking however the implementation has never done this. +The documentation was changed to align with the implementation. + =head1 COPYRIGHT Copyright 2009-2023 The OpenSSL Project Authors. All Rights Reserved.
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor