diff options
author | Matt Caswell <matt@openssl.org> | 2018-03-27 10:58:34 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2018-03-27 13:33:09 +0100 |
commit | b621f604e9b52ce8f568b6d3677a19b1e862613a (patch) | |
tree | f0c5e3ab3824a53d178e9163bf0b7d22a7431ba4 | |
parent | 9310d45087ae546e27e61ddf8f6367f29848220d (diff) | |
download | openssl-new-b621f604e9b52ce8f568b6d3677a19b1e862613a.tar.gz |
Update CHANGES and NEWS for the new release
Reviewed-by: Richard Levitte <levitte@openssl.org>
-rw-r--r-- | CHANGES | 13 | ||||
-rw-r--r-- | NEWS | 3 |
2 files changed, 14 insertions, 2 deletions
@@ -9,7 +9,18 @@ Changes between 1.0.2n and 1.0.2o [xx XXX xxxx] - *) + *) Constructed ASN.1 types with a recursive definition could exceed the stack + + Constructed ASN.1 types with a recursive definition (such as can be found + in PKCS7) could eventually exceed the stack given malicious input with + excessive recursion. This could result in a Denial Of Service attack. There + are no such structures used within SSL/TLS that come from untrusted sources + so this is considered safe. + + This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz + project. + (CVE-2018-0739) + [Matt Caswell] Changes between 1.0.2m and 1.0.2n [7 Dec 2017] @@ -7,7 +7,8 @@ Major changes between OpenSSL 1.0.2n and OpenSSL 1.0.2o [under development] - o + o Constructed ASN.1 types with a recursive definition could exceed the + stack (CVE-2018-0739) Major changes between OpenSSL 1.0.2m and OpenSSL 1.0.2n [7 Dec 2017] |