OpenSSL v1.0.2.n Release Notes

Release Date: 2018-03-27 // over 3 years ago
    • Constructed ASN.1 types with a recursive definition could exceed the stack

    Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe.

    This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz project. [CVE-2018-0739][]

    Matt Caswell