[SERVER-34193] Limit recursive definition ASN.1 types with OpenSSL update Created: 29/Mar/18 Updated: 29/Oct/23 Resolved: 18/Apr/18 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | 3.2.20, 3.4.15, 3.6.4, 3.7.4 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Davi Ottenheimer | Assignee: | Zakhar Kleyman |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | SWNA, security | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||
| Backport Requested: |
v3.6, v3.4, v3.2
|
||||||||||||
| Participants: | |||||||||||||
| Description |
|
Constructed ASN.1 types with a recursive definition (as in PKCS7) could exceed stack given excessive recursion. No such structures within SSL/TLS come from untrusted sources so this is considered safe Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g). |
| Comments |
| Comment by Gregory McKeon (Inactive) [ 03/Apr/18 ] |
|
Just commenting that we kicked this over to Build because we believe updating OpenSSL to be in their domain. |