jonathan/openssl
1
0
Fork 0
forked from rpms/openssl
Code Pull Requests Activity

Certificate policy check not enabled

Browse Source 
Resolves: rhbz#2187431
This commit is contained in:
Dmitry Belyavskiy 2023-04-17 15:46:46 +02:00
parent 70a27e0ae3
commit ba8edd5ea8
2 changed files with 30 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
0117-CVE-2023-0466.patch Normal file
View File

@ -0,0 +1,27 @@
diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
index 75a1677022..43c1900bca 100644
--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod
+++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
@@ -98,8 +98,9 @@ B<trust>.
X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to
B<t>. Normally the current time is used.
-X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled
-by default) and adds B<policy> to the acceptable policy set.
+X509_VERIFY_PARAM_add0_policy() adds B<policy> to the acceptable policy set.
+Contrary to preexisting documentation of this function it does not enable
+policy checking.
X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled
by default) and sets the acceptable policy set to B<policies>. Any existing
@@ -400,6 +401,10 @@ The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i.
The X509_VERIFY_PARAM_get0_host(), X509_VERIFY_PARAM_get0_email(),
and X509_VERIFY_PARAM_get1_ip_asc() functions were added in OpenSSL 3.0.
+The function X509_VERIFY_PARAM_add0_policy() was historically documented as
+enabling policy checking however the implementation has never done this.
+The documentation was changed to align with the implementation.
+
=head1 COPYRIGHT
Copyright 2009-2022 The OpenSSL Project Authors. All Rights Reserved.

3
openssl.spec
View File

@ -183,6 +183,7 @@ Patch114: 0114-FIPS-enforce-EMS-support.patch
# X.509 policies minor CVEs # X.509 policies minor CVEs
Patch115: 0115-CVE-2023-0464.patch Patch115: 0115-CVE-2023-0464.patch
Patch116: 0116-CVE-2023-0465.patch Patch116: 0116-CVE-2023-0465.patch
Patch117: 0117-CVE-2023-0466.patch
License: ASL 2.0 License: ASL 2.0
URL: http://www.openssl.org/ URL: http://www.openssl.org/
@ -520,6 +521,8 @@ install -m644 %{SOURCE9} \
Resolves: rhbz#2186661 Resolves: rhbz#2186661
- Fix invalid certificate policies in leaf certificates check - Fix invalid certificate policies in leaf certificates check
Resolves: rhbz#2187429 Resolves: rhbz#2187429
- Certificate policy check not enabled
Resolves: rhbz#2187431
* Fri Mar 24 2023 Clemens Lang <cllang@redhat.com> - 1:3.0.7-12 * Fri Mar 24 2023 Clemens Lang <cllang@redhat.com> - 1:3.0.7-12
- Change explicit FIPS indicator for RSA decryption to unapproved - Change explicit FIPS indicator for RSA decryption to unapproved