CVE-2025-4575

Issue summary: Use of -addreject option with the openssl x509 application adds<br /> a trusted use instead of a rejected use for a certificate.<br /> <br /> Impact summary: If a user intends to make a trusted certificate rejected for<br /> a particular use it will be instead marked as trusted for that use.<br /> <br /> A copy &amp; paste error during minor refactoring of the code introduced this<br /> issue in the OpenSSL 3.5 version. If, for example, a trusted CA certificate<br /> should be trusted only for the purpose of authenticating TLS servers but not<br /> for CMS signature verification and the CMS signature verification is intended<br /> to be marked as rejected with the -addreject option, the resulting CA<br /> certificate will be trusted for CMS signature verification purpose instead.<br /> <br /> Only users which use the trusted certificate format who use the openssl x509<br /> command line application to add rejected uses are affected by this issue.<br /> The issues affecting only the command line application are considered to<br /> be Low severity.<br /> <br /> The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this<br /> issue.<br /> <br /> OpenSSL 3.4, 3.3, 3.2, 3.1, 3.0, 1.1.1 and 1.0.2 are also not affected by this<br /> issue.