Bugzilla – Bug 1087102
VUL-0: CVE-2018-0739: openssl1,openssl,compat-openssl097g,compat-openssl098: Limit ASN.1 constructed types recursive definition depth
Last modified: 2022-04-11 13:29:43 UTC
CVE-2018-0739 commit 9310d45087ae546e27e61ddf8f6367f29848220d Author: Matt Caswell <matt@openssl.org> Date: Thu Mar 22 10:05:40 2018 +0000 Limit ASN.1 constructed types recursive definition depth Constructed types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. Therefore we limit the stack depth. CVE-2018-0739 Credit to OSSFuzz for finding this issue. Reviewed-by: Rich Salz <rsalz@openssl.org> References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0739
https://www.openssl.org/news/secadv/20180327.txt Constructed ASN.1 types with a recursive definition could exceed the stack (CVE-2018-0739) ========================================================================================== Severity: Moderate Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. OpenSSL 1.1.0 users should upgrade to 1.1.0h OpenSSL 1.0.2 users should upgrade to 1.0.2o This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz project. The fix was developed by Matt Caswell of the OpenSSL development team.
All submitted.
SUSE-SU-2018:0902-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1087102 CVE References: CVE-2018-0739 Sources used: SUSE OpenStack Cloud 6 (src): openssl-1.0.1i-54.11.1 SUSE Linux Enterprise Server for SAP 12-SP1 (src): openssl-1.0.1i-54.11.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): openssl-1.0.1i-54.11.1
SUSE-SU-2018:0905-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1087102 CVE References: CVE-2018-0739 Sources used: SUSE Linux Enterprise Server 11-SECURITY (src): openssl1-1.0.1g-0.58.9.1
SUSE-SU-2018:0906-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1087102 CVE References: CVE-2018-0739 Sources used: SUSE Linux Enterprise Server 12-LTSS (src): openssl-1.0.1i-27.31.1
SUSE-SU-2018:0925-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1087102 CVE References: CVE-2018-0739 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): openssl-1.0.2j-60.24.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): openssl-1.0.2j-60.24.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): openssl-1.0.2j-60.24.1 SUSE Linux Enterprise Server 12-SP3 (src): openssl-1.0.2j-60.24.1 SUSE Linux Enterprise Server 12-SP2 (src): openssl-1.0.2j-60.24.1 SUSE Linux Enterprise Desktop 12-SP3 (src): openssl-1.0.2j-60.24.1 SUSE Linux Enterprise Desktop 12-SP2 (src): openssl-1.0.2j-60.24.1 SUSE CaaS Platform ALL (src): openssl-1.0.2j-60.24.1 OpenStack Cloud Magnum Orchestration 7 (src): openssl-1.0.2j-60.24.1
openSUSE-SU-2018:0936-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1087102 CVE References: CVE-2018-0739 Sources used: openSUSE Leap 42.3 (src): openssl-1.0.2j-19.1
SUSE-SU-2018:0975-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1087102 CVE References: CVE-2018-0739 Sources used: SUSE Studio Onsite 1.3 (src): openssl-0.9.8j-0.106.9.1 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): openssl-0.9.8j-0.106.9.1 SUSE Linux Enterprise Server 11-SP4 (src): openssl-0.9.8j-0.106.9.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): openssl-0.9.8j-0.106.9.1
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2018-05-16. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64026
This is an autogenerated message for OBS integration: This bug (1087102) was mentioned in https://build.opensuse.org/request/show/626778 42.3 / mysql-community-server
openSUSE-SU-2018:2293-1: An update that fixes 8 vulnerabilities is now available. Category: security (moderate) Bug References: 1087102,1088681,1101676,1101678,1101679,1101680,1103342,1103344 CVE References: CVE-2018-0739,CVE-2018-2767,CVE-2018-3058,CVE-2018-3062,CVE-2018-3064,CVE-2018-3066,CVE-2018-3070,CVE-2018-3081 Sources used: openSUSE Leap 42.3 (src): mysql-community-server-5.6.41-39.1
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2018-08-29. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64102
SUSE-SU-2018:2534-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1065363,1087102,1097158 CVE References: CVE-2018-0732,CVE-2018-0739 Sources used: SUSE Linux Enterprise Server for SAP 11-SP4 (src): compat-openssl097g-0.9.7g-146.22.51.5.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): compat-openssl097g-0.9.7g-146.22.51.5.1
SUSE-SU-2018:2683-1: An update that solves three vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1087102,1089039,1097158,1097624,1098592 CVE References: CVE-2018-0732,CVE-2018-0737,CVE-2018-0739 Sources used: SUSE Linux Enterprise Server for SAP 12-SP3 (src): compat-openssl098-0.9.8j-106.6.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): compat-openssl098-0.9.8j-106.6.1 SUSE Linux Enterprise Server for SAP 12-SP1 (src): compat-openssl098-0.9.8j-106.6.1 SUSE Linux Enterprise Module for Legacy Software 12 (src): compat-openssl098-0.9.8j-106.6.1 SUSE Linux Enterprise Desktop 12-SP3 (src): compat-openssl098-0.9.8j-106.6.1
openSUSE-SU-2018:2695-1: An update that solves three vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1087102,1089039,1097158,1097624,1098592 CVE References: CVE-2018-0732,CVE-2018-0737,CVE-2018-0739 Sources used: openSUSE Leap 42.3 (src): compat-openssl098-0.9.8j-24.1
SUSE-FU-2022:0445-1: An update that solves 183 vulnerabilities, contains 21 features and has 299 fixes is now available. Category: feature (moderate) Bug References: 1000080,1000117,1000194,1000677,1000742,1001148,1001912,1002585,1002895,1003091,1005246,1009528,1010874,1010966,1011936,1015549,1019637,1021641,1022085,1022086,1022271,1027079,1027610,1027688,1027705,1027908,1028281,1028723,1029523,1029902,1030038,1032118,1032119,1035604,1039469,1040164,1040256,1041090,1042392,1042670,1044095,1044107,1044175,1049186,1049304,1050653,1050665,1055478,1055542,1055825,1056058,1056951,1057496,1062237,1065363,1066242,1066873,1068790,1070737,1070738,1070853,1071905,1071906,1071941,1073310,1073845,1073879,1074247,1076519,1077096,1077230,1078329,1079761,1080301,1081005,1081750,1081751,1082155,1082163,1082318,1083826,1084117,1084157,1085276,1085529,1085661,1087102,1087104,1088573,1089039,1090427,1090765,1090953,1093518,1093917,1094788,1094814,1094883,1095267,1096738,1096937,1097158,1097531,1097624,1098535,1098592,1099308,1099569,1100078,1101246,1101470,1102868,1104789,1106197,1108508,1109882,1109998,1110435,1110869,1110871,1111493,1111622,1111657,1112209,1112357,1113534,1113652,1113742,1113975,1115769,1117951,1118611,1119376,1119416,1119792,1121717,1121852,1122191,1123064,1123185,1123186,1123558,1124885,1125815,1126283,1126318,1127080,1127173,1128146,1128323,1128355,1129071,1129566,1130840,1131291,1132174,1132323,1132455,1132663,1132900,1135009,1136444,1138666,1138715,1138746,1139915,1140255,1141168,1142899,1143033,1143454,1143893,1144506,1149686,1149792,1150003,1150190,1150250,1150895,1153830,1155815,1156677,1156694,1156908,1157104,1157354,1158809,1159235,1159538,1160163,1161557,1161770,1162224,1162367,1162743,1163978,1164310,1165439,1165578,1165730,1165823,1165960,1166139,1166758,1167008,1167501,1167732,1167746,1168480,1168973,1169489,1170175,1170863,1171368,1171561,1172226,1172908,1172928,1173226,1173356,1174009,1174091,1174514,1175729,1176116,1176129,1176134,1176232,1176256,1176257,1176258,1176259,1176262,1176389,1176785,1176977,1177120,1177127,1177559,1178168,1178341,1178670,1179491,1179562,1179630,1179805,1180125,1180781,1181126,1181324,1181944,1182066,1182211,1182244,1182264,1182331,1182333,1182379,1182963,1183059,1183374,1183858,1184505,1185588,1185706,1185748,1186738,1187045,1189521,1190781,1193357,356549,381844,394317,408865,428177,430141,431945,437293,442740,459468,489641,504687,509031,526319,590833,610223,610642,629905,637176,651003,657698,658604,670526,673071,693027,715423,720601,743787,747125,748738,749210,749213,749735,750618,751718,751946,751977,754447,754677,761500,774710,784670,784994,787526,793420,799119,802184,803004,809831,811890,822642,825221,828513,831629,832833,834601,835687,839107,84331,849377,855666,855676,856687,857203,857850,858239,867887,869945,871152,872299,873351,876282,876710,876712,876748,880891,885662,885882,889013,889363,892477,892480,895129,898917,901223,901277,901902,902364,906878,907584,908362,908372,912014,912015,912018,912292,912293,912294,912296,912460,913229,915479,917607,917759,917815,919648,920236,922448,922488,922496,922499,922500,926597,929678,929736,930189,931698,931978,933898,933911,934487,934489,934491,934493,935856,937085,937212,937492,937634,937912,939456,940608,942385,942751,943421,944204,945455,946648,947104,947357,947679,948198,952871,954256,954486,954690,957812,957813,957815,958501,961334,962291,963415,963974,964204,964472,964474,965830,967128,968046,968047,968048,968050,968265,968270,968374,968601,975875,976942,977584,977614,977615,977616,977663,978224,981848,982268,982575,983249,984323,985054,988086,990207,990392,990419,990428,991193,991877,992120,992988,992989,992992,993130,993819,993825,993968,994749,994844,994910,995075,995324,995359,995377,995959,996255,997043,997614,998190,999665,999666,999668 CVE References: CVE-2006-2937,CVE-2006-2940,CVE-2006-3738,CVE-2006-4339,CVE-2006-4343,CVE-2006-7250,CVE-2007-3108,CVE-2007-4995,CVE-2007-5135,CVE-2008-0891,CVE-2008-1672,CVE-2008-5077,CVE-2009-0590,CVE-2009-0591,CVE-2009-0789,CVE-2009-1377,CVE-2009-1378,CVE-2009-1379,CVE-2009-1386,CVE-2009-1387,CVE-2010-0740,CVE-2010-0742,CVE-2010-1633,CVE-2010-2939,CVE-2010-3864,CVE-2010-5298,CVE-2011-0014,CVE-2011-3207,CVE-2011-3210,CVE-2011-3389,CVE-2011-4108,CVE-2011-4576,CVE-2011-4577,CVE-2011-4619,CVE-2011-4944,CVE-2012-0027,CVE-2012-0050,CVE-2012-0845,CVE-2012-0884,CVE-2012-1150,CVE-2012-1165,CVE-2012-2110,CVE-2012-2686,CVE-2012-4929,CVE-2013-0166,CVE-2013-0169,CVE-2013-1752,CVE-2013-4238,CVE-2013-4314,CVE-2013-4353,CVE-2013-6449,CVE-2013-6450,CVE-2014-0012,CVE-2014-0076,CVE-2014-0160,CVE-2014-0195,CVE-2014-0198,CVE-2014-0221,CVE-2014-0224,CVE-2014-1829,CVE-2014-1830,CVE-2014-2667,CVE-2014-3470,CVE-2014-3505,CVE-2014-3506,CVE-2014-3507,CVE-2014-3508,CVE-2014-3509,CVE-2014-3510,CVE-2014-3511,CVE-2014-3512,CVE-2014-3513,CVE-2014-3566,CVE-2014-3567,CVE-2014-3568,CVE-2014-3570,CVE-2014-3571,CVE-2014-3572,CVE-2014-4650,CVE-2014-5139,CVE-2014-7202,CVE-2014-7203,CVE-2014-8275,CVE-2014-9721,CVE-2015-0204,CVE-2015-0205,CVE-2015-0206,CVE-2015-0209,CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-0293,CVE-2015-1788,CVE-2015-1789,CVE-2015-1790,CVE-2015-1791,CVE-2015-1792,CVE-2015-2296,CVE-2015-3194,CVE-2015-3195,CVE-2015-3196,CVE-2015-3197,CVE-2015-3216,CVE-2015-4000,CVE-2016-0702,CVE-2016-0705,CVE-2016-0797,CVE-2016-0798,CVE-2016-0799,CVE-2016-0800,CVE-2016-10745,CVE-2016-2105,CVE-2016-2106,CVE-2016-2107,CVE-2016-2109,CVE-2016-2176,CVE-2016-2177,CVE-2016-2178,CVE-2016-2179,CVE-2016-2180,CVE-2016-2181,CVE-2016-2182,CVE-2016-2183,CVE-2016-6302,CVE-2016-6303,CVE-2016-6304,CVE-2016-6306,CVE-2016-7052,CVE-2016-7055,CVE-2016-9015,CVE-2017-18342,CVE-2017-3731,CVE-2017-3732,CVE-2017-3735,CVE-2017-3736,CVE-2017-3737,CVE-2017-3738,CVE-2018-0732,CVE-2018-0734,CVE-2018-0737,CVE-2018-0739,CVE-2018-18074,CVE-2018-20060,CVE-2018-5407,CVE-2018-7750,CVE-2019-10906,CVE-2019-11236,CVE-2019-11324,CVE-2019-13132,CVE-2019-1547,CVE-2019-1551,CVE-2019-1559,CVE-2019-1563,CVE-2019-20907,CVE-2019-20916,CVE-2019-5010,CVE-2019-6250,CVE-2019-8341,CVE-2019-9740,CVE-2019-9947,CVE-2020-14343,CVE-2020-15166,CVE-2020-15523,CVE-2020-15801,CVE-2020-1747,CVE-2020-1971,CVE-2020-25659,CVE-2020-26137,CVE-2020-27783,CVE-2020-28493,CVE-2020-29651,CVE-2020-36242,CVE-2020-8492,CVE-2021-23336,CVE-2021-23840,CVE-2021-23841,CVE-2021-28957,CVE-2021-29921,CVE-2021-3177,CVE-2021-33503,CVE-2021-3426,CVE-2021-3712 JIRA References: ECO-3105,SLE-11435,SLE-12684,SLE-12986,SLE-13688,SLE-14253,SLE-15159,SLE-15860,SLE-15861,SLE-16754,SLE-17532,SLE-17957,SLE-18260,SLE-18354,SLE-18446,SLE-19264,SLE-3887,SLE-4480,SLE-4577,SLE-7686,SLE-9135 Sources used: SUSE Manager Tools 12-BETA (src): venv-salt-minion-3002.2-3.3.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Done.