CLD-348 Details
Other IDs this deficiency may be known by:
Basic Information:
| Affected Package(s) |
openssl |
| Deficiency Type |
SECURITY |
| Date Created |
2018-03-27 11:29:30 |
| Date Last Modified |
2018-03-27 20:53:54 |
Version Specific Information:
| Cucumber 1.0 i686 | fixed in openssl-1.0.2o-i686-1 |
| Cucumber 1.0 x86_64 | fixed in openssl-1.0.2o-x86_64-1 and openssl-lib_i686-1.0.2o-lib_i686-1 |
| Cucumber 1.1 i686 |
fixed in openssl-1.0.2o-i686-1 |
| Cucumber 1.1 x86_64 |
fixed in openssl-1.0.2o-x86_64-1 and openssl-lib_i686-1.0.2o-lib_i686-1 |
Details:
From https://www.openssl.org/news/vulnerabilities.html:
CVE-2018-0739 (OpenSSL advisory) [Moderate severity] 27 March 2018:
Constructed ASN.1 types with a recursive definition (such as can be found in
PKCS7) could eventually exceed the stack given malicious input with
excessive recursion. This could result in a Denial Of Service attack. There
are no such structures used within SSL/TLS that come from untrusted sources
so this is considered safe. Reported by OSS-fuzz.
Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g)
Git commit: https://github.com/openssl/openssl/commit/2ac4c6f7b2b2af20c0e2b0ba05367e454cd11b33
Fixed in OpenSSL 1.0.2o (Affected 1.0.2b-1.0.2n)
Git commit: https://github.com/openssl/openssl/commit/9310d45087ae546e27e61ddf8f6367f29848220d