[SERVER-34193] Limit recursive definition ASN.1 types with OpenSSL update - MongoDB

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major - P3
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 3.2.20, 3.4.15, 3.6.4, 3.7.4
Component/s: Security
Labels:
- SWNA
- security

Backwards Compatibility:
Fully Compatible
Backport Requested:

v3.6, v3.4, v3.2

Description

Constructed ASN.1 types with a recursive definition (as in PKCS7) could exceed stack given excessive recursion. No such structures within SSL/TLS come from untrusted sources so this is considered safe

Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g).
Fixed in OpenSSL 1.0.2o (Affected 1.0.2b-1.0.2n).

Attachments

Activity

People

Assignee:: Zakhar Kleyman

Reporter:: Davi Ottenheimer

Participants:: Davi Ottenheimer, Gregory McKeon, Zakhar Kleyman

Votes:: 0 Vote for this issue

Watchers:: 10 Start watching this issue

Dates

Created:: Mar 29 2018 04:57:43 PM UTC

Updated:: Jun 29 2018 07:51:41 PM UTC

Resolved:: Apr 18 2018 02:47:40 PM UTC