id	summary	reporter	owner	description	type	status	priority	milestone	component	version	severity	resolution	keywords	cc
5076	OpenSSL-3.0.4	Douglas R. Reno	lfs-book	"New point version


----
Changes between 3.0.3 and 3.0.4 [21 June 2022]

    In addition to the c_rehash shell command injection identified in CVE-2022-1292, further bugs where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection have been fixed.

    When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell.

    This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script.

    Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. (CVE-2022-2068)


    Case insensitive string comparison no longer uses locales. It has instead been directly implemented.
"	enhancement	closed	high	11.2	Book	git	normal	fixed