CLD-348 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2018-0739 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) openssl
Deficiency Type SECURITY
Date Created 2018-03-27 11:29:30
Date Last Modified 2018-03-27 20:53:54

Version Specific Information:

Cucumber 1.0 i686 fixed in openssl-1.0.2o-i686-1
Cucumber 1.0 x86_64 fixed in openssl-1.0.2o-x86_64-1 and openssl-lib_i686-1.0.2o-lib_i686-1

Cucumber 1.1 i686 fixed in openssl-1.0.2o-i686-1
Cucumber 1.1 x86_64 fixed in openssl-1.0.2o-x86_64-1 and openssl-lib_i686-1.0.2o-lib_i686-1

Details:

From https://www.openssl.org/news/vulnerabilities.html:

CVE-2018-0739 (OpenSSL advisory) [Moderate severity] 27 March 2018:
    Constructed ASN.1 types with a recursive definition (such as can be found in
    PKCS7) could eventually exceed the stack given malicious input with
    excessive recursion. This could result in a Denial Of Service attack. There
    are no such structures used within SSL/TLS that come from untrusted sources
    so this is considered safe. Reported by OSS-fuzz.

        Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g)
            Git commit: https://github.com/openssl/openssl/commit/2ac4c6f7b2b2af20c0e2b0ba05367e454cd11b33
        Fixed in OpenSSL 1.0.2o (Affected 1.0.2b-1.0.2n)
            Git commit: https://github.com/openssl/openssl/commit/9310d45087ae546e27e61ddf8f6367f29848220d