diff options
| author | Tomas Mraz <tomas@openssl.org> | 2024-05-08 15:23:45 +0200 |
|---|---|---|
| committer | Tomas Mraz <tomas@openssl.org> | 2024-05-16 15:44:40 +0200 |
| commit | 85ccbab216da245cf9a6503dd327072f21950d9b (patch) | |
| tree | b2518208ea27de7e33675915ea36f1695a21c194 /CHANGES.md | |
| parent | Sync up CHANGES.md with 3.3 branch (diff) | |
| download | openssl-85ccbab216da245cf9a6503dd327072f21950d9b.tar.xz openssl-85ccbab216da245cf9a6503dd327072f21950d9b.zip | |
Check DSA parameters for excessive sizes before validating
This avoids overly long computation of various validation
checks.
Fixes CVE-2024-4603
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/24346)
Diffstat (limited to 'CHANGES.md')
| -rw-r--r-- | CHANGES.md | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/CHANGES.md b/CHANGES.md index fb4db91e38..15b70d577e 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -94,7 +94,22 @@ OpenSSL 3.3 ### Changes between 3.3.0 and 3.3.1 [xx XXX xxxx] - * none yet + * Fixed an issue where checking excessively long DSA keys or parameters may + be very slow. + + Applications that use the functions EVP_PKEY_param_check() or + EVP_PKEY_public_check() to check a DSA public key or DSA parameters may + experience long delays. Where the key or parameters that are being checked + have been obtained from an untrusted source this may lead to a Denial of + Service. + + To resolve this issue DSA keys larger than OPENSSL_DSA_MAX_MODULUS_BITS + will now fail the check immediately with a DSA_R_MODULUS_TOO_LARGE error + reason. + + ([CVE-2024-4603]) + + *Tomáš Mráz* ### Changes between 3.2 and 3.3.0 [9 Apr 2024] |