Apache 2.4.54 with OpenSSL 1.1.1p released

Started by Gregg, June 24, 2022, 03:55:46 AM

Previous topic - Next topic

Gregg

 OpenSSL changes between 1.1.1o and 1.1.1p [21 Jun 2022]

  *) In addition to the c_rehash shell command injection identified in
     CVE-2022-1292, further bugs where the c_rehash script does not
     properly sanitise shell metacharacters to prevent command injection have been
     fixed.

     When the CVE-2022-1292 was fixed it was not discovered that there
     are other places in the script where the file names of certificates
     being hashed were possibly passed to a command executed through the shell.

     This script is distributed by some operating systems in a manner where
     it is automatically executed.  On such operating systems, an attacker
     could execute arbitrary commands with the privileges of the script.

     Use of the c_rehash script is considered obsolete and should be replaced
     by the OpenSSL rehash command line tool.
     (CVE-2022-2068)
     [Daniel Fiala, Tomáš Mráz]

  *) When OpenSSL TLS client is connecting without any supported elliptic
     curves and TLS-1.3 protocol is disabled the connection will no longer fail
     if a ciphersuite that does not use a key exchange based on elliptic
     curves can be negotiated.
     [Tomáš Mráz]



This release includes:
APR Version:        1.7.0
APU Version:        1.6.1
Brotli Version:    1.0.9
Expat Version:    2.4.7
Jansson Version:    2.14
Libcurl Version:  7.83.1
LibXML2 Version:    2.9.14
LUA Version:        5.2.4
NGHTTP2 Version:    1.47.0
OpenSSL Version:    1.1.1p
PCRE2 Version:      10.40
SQLite3 Version:    3.38.5
ZLib Version:      1.2.12

You can get your copy of the new Apache HTTP Server from our download page.

mario