[SERVER-34193] Limit recursive definition ASN.1 types with OpenSSL update Created: 29/Mar/18  Updated: 29/Oct/23  Resolved: 18/Apr/18

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: 3.2.20, 3.4.15, 3.6.4, 3.7.4

Type: Bug Priority: Major - P3
Reporter: Davi Ottenheimer Assignee: Zakhar Kleyman
Resolution: Fixed Votes: 0
Labels: SWNA, security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
Related
Backwards Compatibility: Fully Compatible
Backport Requested:
v3.6, v3.4, v3.2
Participants:

 Description   

Constructed ASN.1 types with a recursive definition (as in PKCS7) could exceed stack given excessive recursion. No such structures within SSL/TLS come from untrusted sources so this is considered safe

Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g).
Fixed in OpenSSL 1.0.2o (Affected 1.0.2b-1.0.2n).



 Comments   
Comment by Gregory McKeon (Inactive) [ 03/Apr/18 ]

Just commenting that we kicked this over to Build because we believe updating OpenSSL to be in their domain.

Generated at Thu Feb 08 04:35:51 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.