From: Matt Caswell <matt@openssl.org>
Date: Tue, 27 Mar 2018 09:58:34 +0000 (+0100)
Subject: Update CHANGES and NEWS for the new release
X-Git-Tag: OpenSSL_1_0_2o~3
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=b621f604e9b52ce8f568b6d3677a19b1e862613a;p=oweals%2Fopenssl.git

Update CHANGES and NEWS for the new release

Reviewed-by: Richard Levitte <levitte@openssl.org>
---

diff --git a/CHANGES b/CHANGES
index f2bc2b321d..5e6295c00f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,7 +9,18 @@
 
  Changes between 1.0.2n and 1.0.2o [xx XXX xxxx]
 
-  *)
+  *) Constructed ASN.1 types with a recursive definition could exceed the stack
+
+     Constructed ASN.1 types with a recursive definition (such as can be found
+     in PKCS7) could eventually exceed the stack given malicious input with
+     excessive recursion. This could result in a Denial Of Service attack. There
+     are no such structures used within SSL/TLS that come from untrusted sources
+     so this is considered safe.
+
+     This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz
+     project.
+     (CVE-2018-0739)
+     [Matt Caswell]
 
  Changes between 1.0.2m and 1.0.2n [7 Dec 2017]
 
diff --git a/NEWS b/NEWS
index f688c5aa55..3cf97937f8 100644
--- a/NEWS
+++ b/NEWS
@@ -7,7 +7,8 @@
 
   Major changes between OpenSSL 1.0.2n and OpenSSL 1.0.2o [under development]
 
-      o
+      o Constructed ASN.1 types with a recursive definition could exceed the
+        stack (CVE-2018-0739)
 
   Major changes between OpenSSL 1.0.2m and OpenSSL 1.0.2n [7 Dec 2017]