OpenSSL patches infinite-loop DoS bug in certificate verification


OpenSSL published a security update this week.

The new versions are 3.0.2 and 1.1.1ncorresponding to the two currently-supported flavors of OpenSSL (3.0 and 1.1.1).

The patch includes a few general fixes, such as error reporting that’s been tidied up, along with an update for CVE-2022-0778found by well-known bug eliminator Tavis Ormandy of Google’s Project Zero team.

Ormandy himself described the bug as “a fun one to work on”:

The flaw ultimately came down to a program loop that almost always worked correctly, but sometimes didn’t, causing it to iterate inifinitely, thus hanging up the program using the offending code and causing what’s known as a DoSor denial-of-service attack.