From 9e835248bdf4ea2eedcdc65046bde827e713b3e8 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 23 Mar 2023 21:41:37 -0400 Subject: [PATCH 1/2] Release openssl v0.10.48 and openssl-sys v0.9.83 --- openssl-sys/CHANGELOG.md | 14 +++++++++++++- openssl-sys/Cargo.toml | 2 +- openssl/CHANGELOG.md | 13 ++++++++++++- openssl/Cargo.toml | 4 ++-- 4 files changed, 28 insertions(+), 5 deletions(-) diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md index 3cb0711817..8587ad2262 100644 --- a/openssl-sys/CHANGELOG.md +++ b/openssl-sys/CHANGELOG.md @@ -2,6 +2,17 @@ ## [Unreleased] +## [v0.9.83] - 2023-03-23 + +### Fixed + +* Fixed version checks for LibreSSL. + +### Added + +* Added `i2d_X509_EXTENSION`. +* Added `GENERAL_NAME_new`. + ## [v0.9.82] - 2023-03-19 ### Added @@ -399,7 +410,8 @@ Fixed builds against OpenSSL built with `no-cast`. * Added `X509_verify` and `X509_REQ_verify`. * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.82..master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.83..master +[v0.9.83]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.82...openssl-sys-v0.9.83 [v0.9.82]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.81...openssl-sys-v0.9.82 [v0.9.81]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.80...openssl-sys-v0.9.81 [v0.9.80]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.79...openssl-sys-v0.9.80 diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index ed3161c784..ad7582ad05 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl-sys" -version = "0.9.82" +version = "0.9.83" authors = [ "Alex Crichton ", "Steven Fackler ", diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index 7de74b8045..3d55a18042 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -2,6 +2,16 @@ ## [Unreleased] +## [v0.10.48] - 2023-03-23 + +### Fixed + +* Fixed injection vulnerabilities where OpenSSL's configuration mini-language could be used via `x509::extension::SubjectAlternativeName` and `x509::extension::ExtendedKeyUsage`. The mini-language can read arbitrary files amongst other things. + * As part of fixing this `SubjectAlternativeName::dir_name` and `SubjectAlternativeName::other_name` are deprected and their implementations always `panic!`. If you have a use case for these, please file an issue. +* Fixed several NULL pointer dereferences in OpenSSL that could be triggered via `x509::X509Extension::new` and `x509::X509Extension::new_nid`. Note that these methods still accept OpenSSL's configuration mini-language, and therefore should not be used with untrusted data. +* Fixed a data-race with `x509::X509Name` that are created with `x509::X509NameBuilder` and then used concurrently. +* Fixed LibreSSL version checking. More functions should now be correctly available on LibreSSL. + ## [v0.10.47] - 2023-03-19 ### Added @@ -697,7 +707,8 @@ Look at the [release tags] for information about older releases. -[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.47...master +[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.48...master +[v0.10.48]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.47...openssl-v0.10.48 [v0.10.47]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.46...openssl-v0.10.47 [v0.10.46]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.45...openssl-v0.10.46 [v0.10.45]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.44...openssl-v0.10.45 diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index 158acff5a3..e49bd9163e 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "openssl" -version = "0.10.47" +version = "0.10.48" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" @@ -30,7 +30,7 @@ libc = "0.2" once_cell = "1.5.2" openssl-macros = { version = "0.1.0", path = "../openssl-macros" } -ffi = { package = "openssl-sys", version = "0.9.82", path = "../openssl-sys" } +ffi = { package = "openssl-sys", version = "0.9.83", path = "../openssl-sys" } [dev-dependencies] hex = "0.3" From 0257c4f27ebff50e4664dcedc64ce5c60b7bc76c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 23 Mar 2023 21:46:21 -0400 Subject: [PATCH 2/2] Update openssl/CHANGELOG.md Co-authored-by: Paul Kehrer --- openssl/CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md index 3d55a18042..c6d9b303cd 100644 --- a/openssl/CHANGELOG.md +++ b/openssl/CHANGELOG.md @@ -7,7 +7,7 @@ ### Fixed * Fixed injection vulnerabilities where OpenSSL's configuration mini-language could be used via `x509::extension::SubjectAlternativeName` and `x509::extension::ExtendedKeyUsage`. The mini-language can read arbitrary files amongst other things. - * As part of fixing this `SubjectAlternativeName::dir_name` and `SubjectAlternativeName::other_name` are deprected and their implementations always `panic!`. If you have a use case for these, please file an issue. + * As part of fixing this `SubjectAlternativeName::dir_name` and `SubjectAlternativeName::other_name` are deprecated and their implementations always `panic!`. If you have a use case for these, please file an issue. * Fixed several NULL pointer dereferences in OpenSSL that could be triggered via `x509::X509Extension::new` and `x509::X509Extension::new_nid`. Note that these methods still accept OpenSSL's configuration mini-language, and therefore should not be used with untrusted data. * Fixed a data-race with `x509::X509Name` that are created with `x509::X509NameBuilder` and then used concurrently. * Fixed LibreSSL version checking. More functions should now be correctly available on LibreSSL.