OpenSSL changes between 1.1.1o and 1.1.1p [21 Jun 2022]
*) In addition to the c_rehash shell command injection identified in
CVE-2022-1292, further bugs where the c_rehash script does not
properly sanitise shell metacharacters to prevent command injection have been
fixed.
When the CVE-2022-1292 was fixed it was not discovered that there
are other places in the script where the file names of certificates
being hashed were possibly passed to a command executed through the shell.
This script is distributed by some operating systems in a manner where
it is automatically executed. On such operating systems, an attacker
could execute arbitrary commands with the privileges of the script.
Use of the c_rehash script is considered obsolete and should be replaced
by the OpenSSL rehash command line tool.
(CVE-2022-2068)
[Daniel Fiala, Tomáš Mráz]
*) When OpenSSL TLS client is connecting without any supported elliptic
curves and TLS-1.3 protocol is disabled the connection will no longer fail
if a ciphersuite that does not use a key exchange based on elliptic
curves can be negotiated.
[Tomáš Mráz]
This release includes:
APR Version: 1.7.0
APU Version: 1.6.1
Brotli Version: 1.0.9
Expat Version: 2.4.7
Jansson Version: 2.14
Libcurl Version: 7.83.1
LibXML2 Version: 2.9.14
LUA Version: 5.2.4
NGHTTP2 Version: 1.47.0
OpenSSL Version: 1.1.1p
PCRE2 Version: 10.40
SQLite3 Version: 3.38.5
ZLib Version: 1.2.12
You can get your copy of the new Apache HTTP Server from our download page (http://www.apachehaus.com/cgi-bin/download.plx).
Thank you for the build!