Ossfuzz

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions prior to 41.0.3 **Description** The issue is related to the functions `DH check()`, `DH check ex()`, and `EVP PKEY param check()` in the OpenSSL library. These functions can cause long delays when checking excessively long DH keys or parameters, potentially leading to a Denial of Service (DoS) attack if the key or parameters are obtained from an untrusted source. The `DH check()` function performs various checks on DH parameters, including confirming that the modulus (`p` parameter) is not too large. However, trying to use a very large modulus is slow, and OpenSSL will not normally use a modulus over 10,000 bits in length. The OpenSSL SSL/TLS implementation and the OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. **Recommendations** To resolve the issue, update to OpenSSL version 41.0.3 or later. As a temporary workaround, consider restricting the use of the `DH check()`, `DH check ex()`, and `EVP PKEY param check()` functions to minimize the risk of exploitation. Avoid using the `p` parameter with large modulus values in the affected functions until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions prior to 3.0 OpenSSL versions 3.0 and newer MySQL Server versions 5.7.42 and earlier, 8.0.33 and earlier **Description** The issue is related to the processing of specially crafted ASN.1 object identifiers, which can cause significant delays in applications using the OpenSSL library. This can lead to a Denial of Service (DoS) condition. The `OBJ obj2txt()` function is used to translate an ASN.1 OBJECT IDENTIFIER to its canonical numeric text form, and when dealing with very large sub-identifiers, the translation can take a very long time. The time complexity is O(n^2) with 'n' being the size of the sub-identifiers in bytes. The impact is relatively low on TLS due to the 100KiB limit on the peer's certificate chain. Applications that call `OBJ obj2txt()` directly with untrusted data are affected, with any version of OpenSSL. **Recommendations** For OpenSSL versions prior to 3.0, consider upgrading to a newer version to mitigate the risk. For OpenSSL versions 3.0 and newer, ensure that the subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS have message size limits in place to prevent excessive delays. For MySQL Server versions 5.7.42 and earlier, 8.0.33 and earlier, upgrade to a newer version to address the vulnerability. As a temporary workaround, consider disabling the `OBJ obj2txt()` function or restricting its use with untrusted data until a patch is available.