1 <!-- All security issues affecting OpenSSL since the release of:
8 <!-- The updated attribute should be the same as the first public issue,
9 unless an old entry was updated. -->
10 <security updated="20191206">
11 <issue public="20191206">
12 <impact severity="Low"/>
13 <cve name="2019-1551"/>
14 <affects base="1.1.1" version="1.1.1"/>
15 <affects base="1.1.1" version="1.1.1a"/>
16 <affects base="1.1.1" version="1.1.1b"/>
17 <affects base="1.1.1" version="1.1.1c"/>
18 <affects base="1.1.1" version="1.1.1d"/>
19 <affects base="1.0.2" version="1.0.2"/>
20 <affects base="1.0.2" version="1.0.2a"/>
21 <affects base="1.0.2" version="1.0.2b"/>
22 <affects base="1.0.2" version="1.0.2c"/>
23 <affects base="1.0.2" version="1.0.2d"/>
24 <affects base="1.0.2" version="1.0.2e"/>
25 <affects base="1.0.2" version="1.0.2f"/>
26 <affects base="1.0.2" version="1.0.2g"/>
27 <affects base="1.0.2" version="1.0.2h"/>
28 <affects base="1.0.2" version="1.0.2i"/>
29 <affects base="1.0.2" version="1.0.2j"/>
30 <affects base="1.0.2" version="1.0.2k"/>
31 <affects base="1.0.2" version="1.0.2l"/>
32 <affects base="1.0.2" version="1.0.2m"/>
33 <affects base="1.0.2" version="1.0.2n"/>
34 <affects base="1.0.2" version="1.0.2o"/>
35 <affects base="1.0.2" version="1.0.2p"/>
36 <affects base="1.0.2" version="1.0.2q"/>
37 <affects base="1.0.2" version="1.0.2r"/>
38 <affects base="1.0.2" version="1.0.2s"/>
39 <affects base="1.0.2" version="1.0.2t"/>
40 <fixed base="1.1.1" version="1.1.1e-dev" date="20191206">
41 <git hash="419102400a2811582a7a3d4a4e317d72e5ce0a8f"/>
43 <fixed base="1.0.2" version="1.0.2u" date="20191220">
44 <git hash="f1c5eea8a817075d31e43f5876993c6710238c98"/>
46 <problemtype>Integer overflow bug</problemtype>
47 <title>rsaz_512_sqr overflow bug on x86_64</title>
49 There is an overflow bug in the x64_64 Montgomery squaring procedure used in
50 exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis
51 suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a
52 result of this defect would be very difficult to perform and are not believed
53 likely. Attacks against DH512 are considered just feasible. However, for an
54 attack the target would have to re-use the DH512 private key, which is not
55 recommended anyway. Also applications directly using the low level API
56 BN_mod_exp may be affected if they use BN_FLG_CONSTTIME.
58 <advisory url="/news/secadv/20191206.txt"/>
59 <reported source="OSS-Fuzz and Guido Vranken"/>
61 <issue public="20190910">
62 <impact severity="Low"/>
63 <cve name="2019-1547"/>
64 <affects base="1.1.1" version="1.1.1"/>
65 <affects base="1.1.1" version="1.1.1a"/>
66 <affects base="1.1.1" version="1.1.1b"/>
67 <affects base="1.1.1" version="1.1.1c"/>
68 <affects base="1.1.0" version="1.1.0"/>
69 <affects base="1.1.0" version="1.1.0a"/>
70 <affects base="1.1.0" version="1.1.0b"/>
71 <affects base="1.1.0" version="1.1.0c"/>
72 <affects base="1.1.0" version="1.1.0d"/>
73 <affects base="1.1.0" version="1.1.0e"/>
74 <affects base="1.1.0" version="1.1.0f"/>
75 <affects base="1.1.0" version="1.1.0g"/>
76 <affects base="1.1.0" version="1.1.0h"/>
77 <affects base="1.1.0" version="1.1.0i"/>
78 <affects base="1.1.0" version="1.1.0j"/>
79 <affects base="1.1.0" version="1.1.0k"/>
80 <affects base="1.0.2" version="1.0.2"/>
81 <affects base="1.0.2" version="1.0.2a"/>
82 <affects base="1.0.2" version="1.0.2b"/>
83 <affects base="1.0.2" version="1.0.2c"/>
84 <affects base="1.0.2" version="1.0.2d"/>
85 <affects base="1.0.2" version="1.0.2e"/>
86 <affects base="1.0.2" version="1.0.2f"/>
87 <affects base="1.0.2" version="1.0.2g"/>
88 <affects base="1.0.2" version="1.0.2h"/>
89 <affects base="1.0.2" version="1.0.2i"/>
90 <affects base="1.0.2" version="1.0.2j"/>
91 <affects base="1.0.2" version="1.0.2k"/>
92 <affects base="1.0.2" version="1.0.2l"/>
93 <affects base="1.0.2" version="1.0.2m"/>
94 <affects base="1.0.2" version="1.0.2n"/>
95 <affects base="1.0.2" version="1.0.2o"/>
96 <affects base="1.0.2" version="1.0.2p"/>
97 <affects base="1.0.2" version="1.0.2q"/>
98 <affects base="1.0.2" version="1.0.2r"/>
99 <affects base="1.0.2" version="1.0.2s"/>
100 <fixed base="1.1.1" version="1.1.1d" date="20190910">
101 <git hash="30c22fa8b1d840036b8e203585738df62a03cec8"/>
103 <fixed base="1.1.0" version="1.1.0l" date="20190910">
104 <git hash="7c1709c2da5414f5b6133d00a03fc8c5bf996c7a"/>
106 <fixed base="1.0.2" version="1.0.2t" date="20190910">
107 <git hash="21c856b75d81eff61aa63b4f036bb64a85bf6d46"/>
109 <problemtype>Timing side channel</problemtype>
110 <title>ECDSA remote timing attack</title>
112 Normally in OpenSSL EC groups always have a co-factor present and this is used
113 in side channel resistant code paths. However, in some cases, it is possible to
114 construct a group using explicit parameters (instead of using a named curve). In
115 those cases it is possible that such a group does not have the cofactor present.
116 This can occur even where all the parameters match a known named curve.
118 If such a curve is used then OpenSSL falls back to non-side channel resistant
119 code paths which may result in full key recovery during an ECDSA signature
122 In order to be vulnerable an attacker would have to have the ability to time
123 the creation of a large number of signatures where explicit parameters with no
124 co-factor present are in use by an application using libcrypto.
126 For the avoidance of doubt libssl is not vulnerable because explicit parameters
129 <advisory url="/news/secadv/20190910.txt"/>
130 <reported source="Cesar Pereida García, Sohaib ul Hassan, Nicola Tuveri, Iaroslav Gridin, Alejandro Cabrera Aldaya, and Billy Brumley"/>
132 <issue public="20190910">
133 <impact severity="Low"/>
134 <cve name="2019-1549"/>
135 <affects base="1.1.1" version="1.1.1"/>
136 <affects base="1.1.1" version="1.1.1a"/>
137 <affects base="1.1.1" version="1.1.1b"/>
138 <affects base="1.1.1" version="1.1.1c"/>
139 <fixed base="1.1.1" version="1.1.1d" date="20190910">
140 <git hash="1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be"/>
142 <problemtype>Random Number Generation</problemtype>
143 <title>Fork Protection</title>
145 OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was
146 intended to include protection in the event of a fork() system call in order to
147 ensure that the parent and child processes did not share the same RNG state.
148 However this protection was not being used in the default case.
150 A partial mitigation for this issue is that the output from a high precision
151 timer is mixed into the RNG state so the likelihood of a parent and child
152 process sharing state is significantly reduced.
154 If an application already calls OPENSSL_init_crypto() explicitly using
155 OPENSSL_INIT_ATFORK then this problem does not occur at all.
157 <advisory url="/news/secadv/20190910.txt"/>
158 <reported source="Matt Caswell"/>
160 <issue public="20190910">
161 <impact severity="Low"/>
162 <cve name="2019-1563"/>
163 <affects base="1.1.1" version="1.1.1"/>
164 <affects base="1.1.1" version="1.1.1a"/>
165 <affects base="1.1.1" version="1.1.1b"/>
166 <affects base="1.1.1" version="1.1.1c"/>
167 <affects base="1.1.0" version="1.1.0"/>
168 <affects base="1.1.0" version="1.1.0a"/>
169 <affects base="1.1.0" version="1.1.0b"/>
170 <affects base="1.1.0" version="1.1.0c"/>
171 <affects base="1.1.0" version="1.1.0d"/>
172 <affects base="1.1.0" version="1.1.0e"/>
173 <affects base="1.1.0" version="1.1.0f"/>
174 <affects base="1.1.0" version="1.1.0g"/>
175 <affects base="1.1.0" version="1.1.0h"/>
176 <affects base="1.1.0" version="1.1.0i"/>
177 <affects base="1.1.0" version="1.1.0j"/>
178 <affects base="1.1.0" version="1.1.0k"/>
179 <affects base="1.0.2" version="1.0.2"/>
180 <affects base="1.0.2" version="1.0.2a"/>
181 <affects base="1.0.2" version="1.0.2b"/>
182 <affects base="1.0.2" version="1.0.2c"/>
183 <affects base="1.0.2" version="1.0.2d"/>
184 <affects base="1.0.2" version="1.0.2e"/>
185 <affects base="1.0.2" version="1.0.2f"/>
186 <affects base="1.0.2" version="1.0.2g"/>
187 <affects base="1.0.2" version="1.0.2h"/>
188 <affects base="1.0.2" version="1.0.2i"/>
189 <affects base="1.0.2" version="1.0.2j"/>
190 <affects base="1.0.2" version="1.0.2k"/>
191 <affects base="1.0.2" version="1.0.2l"/>
192 <affects base="1.0.2" version="1.0.2m"/>
193 <affects base="1.0.2" version="1.0.2n"/>
194 <affects base="1.0.2" version="1.0.2o"/>
195 <affects base="1.0.2" version="1.0.2p"/>
196 <affects base="1.0.2" version="1.0.2q"/>
197 <affects base="1.0.2" version="1.0.2r"/>
198 <affects base="1.0.2" version="1.0.2s"/>
199 <fixed base="1.1.1" version="1.1.1d" date="20190910">
200 <git hash="08229ad838c50f644d7e928e2eef147b4308ad64"/>
202 <fixed base="1.1.0" version="1.1.0l" date="20190910">
203 <git hash="631f94db0065c78181ca9ba5546ebc8bb3884b97"/>
205 <fixed base="1.0.2" version="1.0.2t" date="20190910">
206 <git hash="e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f"/>
208 <problemtype>Padding Oracle</problemtype>
209 <title>Padding Oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey</title>
211 In situations where an attacker receives automated notification of the success
212 or failure of a decryption attempt an attacker, after sending a very large
213 number of messages to be decrypted, can recover a CMS/PKCS7 transported
214 encryption key or decrypt any RSA encrypted message that was encrypted with the
215 public RSA key, using a Bleichenbacher padding oracle attack. Applications are
216 not affected if they use a certificate together with the private RSA key to the
217 CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to
220 <advisory url="/news/secadv/20190910.txt"/>
221 <reported source="Bernd Edlinger"/>
223 <issue public="20190730">
224 <impact severity="Low"/>
225 <cve name="2019-1552"/>
226 <affects base="1.1.1" version="1.1.1"/>
227 <affects base="1.1.1" version="1.1.1a"/>
228 <affects base="1.1.1" version="1.1.1b"/>
229 <affects base="1.1.1" version="1.1.1c"/>
230 <affects base="1.1.0" version="1.1.0"/>
231 <affects base="1.1.0" version="1.1.0a"/>
232 <affects base="1.1.0" version="1.1.0b"/>
233 <affects base="1.1.0" version="1.1.0c"/>
234 <affects base="1.1.0" version="1.1.0d"/>
235 <affects base="1.1.0" version="1.1.0e"/>
236 <affects base="1.1.0" version="1.1.0f"/>
237 <affects base="1.1.0" version="1.1.0g"/>
238 <affects base="1.1.0" version="1.1.0h"/>
239 <affects base="1.1.0" version="1.1.0i"/>
240 <affects base="1.1.0" version="1.1.0j"/>
241 <affects base="1.1.0" version="1.1.0k"/>
242 <affects base="1.0.2" version="1.0.2"/>
243 <affects base="1.0.2" version="1.0.2a"/>
244 <affects base="1.0.2" version="1.0.2b"/>
245 <affects base="1.0.2" version="1.0.2c"/>
246 <affects base="1.0.2" version="1.0.2d"/>
247 <affects base="1.0.2" version="1.0.2e"/>
248 <affects base="1.0.2" version="1.0.2f"/>
249 <affects base="1.0.2" version="1.0.2g"/>
250 <affects base="1.0.2" version="1.0.2h"/>
251 <affects base="1.0.2" version="1.0.2i"/>
252 <affects base="1.0.2" version="1.0.2j"/>
253 <affects base="1.0.2" version="1.0.2k"/>
254 <affects base="1.0.2" version="1.0.2l"/>
255 <affects base="1.0.2" version="1.0.2m"/>
256 <affects base="1.0.2" version="1.0.2n"/>
257 <affects base="1.0.2" version="1.0.2o"/>
258 <affects base="1.0.2" version="1.0.2p"/>
259 <affects base="1.0.2" version="1.0.2q"/>
260 <affects base="1.0.2" version="1.0.2r"/>
261 <affects base="1.0.2" version="1.0.2s"/>
262 <fixed base="1.1.1" version="1.1.1d" date="20190706">
263 <git hash="54aa9d51b09d67e90db443f682cface795f5af9e"/>
265 <fixed base="1.1.0" version="1.1.0l" date="20190727">
266 <git hash="e32bc855a81a2d48d215c506bdeb4f598045f7e9"/>
267 <git hash="b15a19c148384e73338aa7c5b12652138e35ed28"/>
269 <fixed base="1.0.2" version="1.0.2t" date="20190725">
270 <git hash="d333ebaf9c77332754a9d5e111e2f53e1de54fdd"/>
272 <problemtype>Insecure defaults</problemtype>
273 <title>Windows builds with insecure path defaults</title>
275 OpenSSL has internal defaults for a directory tree where it can find a
276 configuration file as well as certificates used for verification in
277 TLS. This directory is most commonly referred to as OPENSSLDIR, and
278 is configurable with the --prefix / --openssldir configuration options.
280 For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets
281 assume that resulting programs and libraries are installed in a
282 Unix-like environment and the default prefix for program installation
283 as well as for OPENSSLDIR should be '/usr/local'.
285 However, mingw programs are Windows programs, and as such, find
286 themselves looking at sub-directories of 'C:/usr/local', which may be
287 world writable, which enables untrusted users to modify OpenSSL's
288 default configuration, insert CA certificates, modify (or even
289 replace) existing engine modules, etc.
291 For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR
292 on all Unix and Windows targets, including Visual C builds. However,
293 some build instructions for the diverse Windows targets on 1.0.2
294 encourage you to specify your own --prefix.
296 OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue.
297 Due to the limited scope of affected deployments this has been
298 assessed as low severity and therefore we are not creating new
299 releases at this time.
301 <advisory url="/news/secadv/20190730.txt"/>
302 <reported source="Rich Mirch"/>
304 <issue public="20190306">
305 <impact severity="Low"/>
306 <cve name="2019-1543"/>
307 <affects base="1.1.1" version="1.1.1"/>
308 <affects base="1.1.1" version="1.1.1a"/>
309 <affects base="1.1.1" version="1.1.1b"/>
310 <affects base="1.1.0" version="1.1.0"/>
311 <affects base="1.1.0" version="1.1.0a"/>
312 <affects base="1.1.0" version="1.1.0b"/>
313 <affects base="1.1.0" version="1.1.0c"/>
314 <affects base="1.1.0" version="1.1.0d"/>
315 <affects base="1.1.0" version="1.1.0e"/>
316 <affects base="1.1.0" version="1.1.0f"/>
317 <affects base="1.1.0" version="1.1.0g"/>
318 <affects base="1.1.0" version="1.1.0h"/>
319 <affects base="1.1.0" version="1.1.0i"/>
320 <affects base="1.1.0" version="1.1.0j"/>
321 <fixed base="1.1.1" version="1.1.1c" date="20190528">
322 <git hash="f426625b6ae9a7831010750490a5f0ad689c5ba3"/>
324 <fixed base="1.1.0" version="1.1.0k" date="20190528">
325 <git hash="ee22257b1418438ebaf54df98af4e24f494d1809"/>
327 <problemtype>Nonce Reuse</problemtype>
328 <title>ChaCha20-Poly1305 with long nonces</title>
330 ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every
331 encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96
332 bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce
333 with 0 bytes if it is less than 12 bytes. However it also incorrectly allows a
334 nonce to be set of up to 16 bytes. In this case only the last 12 bytes are
335 significant and any additional leading bytes are ignored.
337 It is a requirement of using this cipher that nonce values are unique. Messages
338 encrypted using a reused nonce value are susceptible to serious confidentiality
339 and integrity attacks. If an application changes the default nonce length to be
340 longer than 12 bytes and then makes a change to the leading bytes of the nonce
341 expecting the new value to be a new unique nonce then such an application could
342 inadvertently encrypt messages with a reused nonce.
344 Additionally the ignored bytes in a long nonce are not covered by the integrity
345 guarantee of this cipher. Any application that relies on the integrity of these
346 ignored leading bytes of a long nonce may be further affected.
348 Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe because
349 no such use sets such a long nonce value. However user applications that use
350 this cipher directly and set a non-default nonce length to be longer than 12
351 bytes may be vulnerable.
353 OpenSSL versions 1.1.1 and 1.1.0 are affected by this issue. Due to the limited
354 scope of affected deployments this has been assessed as low severity and
355 therefore we are not creating new releases at this time.
357 <advisory url="/news/secadv/20190306.txt"/>
358 <reported source="Joran Dirk Greef of Ronomon"/>
360 <issue public="20190226">
361 <impact severity="Moderate"/>
362 <cve name="2019-1559"/>
363 <affects base="1.0.2" version="1.0.2"/>
364 <affects base="1.0.2" version="1.0.2a"/>
365 <affects base="1.0.2" version="1.0.2b"/>
366 <affects base="1.0.2" version="1.0.2c"/>
367 <affects base="1.0.2" version="1.0.2d"/>
368 <affects base="1.0.2" version="1.0.2e"/>
369 <affects base="1.0.2" version="1.0.2f"/>
370 <affects base="1.0.2" version="1.0.2g"/>
371 <affects base="1.0.2" version="1.0.2h"/>
372 <affects base="1.0.2" version="1.0.2i"/>
373 <affects base="1.0.2" version="1.0.2j"/>
374 <affects base="1.0.2" version="1.0.2k"/>
375 <affects base="1.0.2" version="1.0.2l"/>
376 <affects base="1.0.2" version="1.0.2m"/>
377 <affects base="1.0.2" version="1.0.2n"/>
378 <affects base="1.0.2" version="1.0.2o"/>
379 <affects base="1.0.2" version="1.0.2p"/>
380 <affects base="1.0.2" version="1.0.2q"/>
381 <fixed base="1.0.2" version="1.0.2r" date="20190226">
382 <git hash="e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e"/>
384 <problemtype>Padding Oracle</problemtype>
385 <title>0-byte record padding oracle</title>
387 If an application encounters a fatal protocol error and then calls
388 SSL_shutdown() twice (once to send a close_notify, and once to receive one) then
389 OpenSSL can respond differently to the calling application if a 0 byte record is
390 received with invalid padding compared to if a 0 byte record is received with an
391 invalid MAC. If the application then behaves differently based on that in a way
392 that is detectable to the remote peer, then this amounts to a padding oracle
393 that could be used to decrypt data.
395 In order for this to be exploitable "non-stitched" ciphersuites must be in use.
396 Stitched ciphersuites are optimised implementations of certain commonly used
397 ciphersuites. Also the application must call SSL_shutdown() twice even if a
398 protocol error has occurred (applications should not do this but some do
399 anyway). AEAD ciphersuites are not impacted.
401 <advisory url="/news/secadv/20190226.txt"/>
402 <reported source="Juraj Somorovsky, Robert Merget and Nimrod Aviram, with additional investigation by Steven Collison and Andrew Hourselt"/>
404 <issue public="20181102">
405 <impact severity="Low"/>
406 <cve name="2018-5407"/>
407 <affects base="1.1.0" version="1.1.0"/>
408 <affects base="1.1.0" version="1.1.0a"/>
409 <affects base="1.1.0" version="1.1.0b"/>
410 <affects base="1.1.0" version="1.1.0c"/>
411 <affects base="1.1.0" version="1.1.0d"/>
412 <affects base="1.1.0" version="1.1.0e"/>
413 <affects base="1.1.0" version="1.1.0f"/>
414 <affects base="1.1.0" version="1.1.0g"/>
415 <affects base="1.1.0" version="1.1.0h"/>
416 <affects base="1.0.2" version="1.0.2"/>
417 <affects base="1.0.2" version="1.0.2a"/>
418 <affects base="1.0.2" version="1.0.2b"/>
419 <affects base="1.0.2" version="1.0.2c"/>
420 <affects base="1.0.2" version="1.0.2d"/>
421 <affects base="1.0.2" version="1.0.2e"/>
422 <affects base="1.0.2" version="1.0.2f"/>
423 <affects base="1.0.2" version="1.0.2g"/>
424 <affects base="1.0.2" version="1.0.2h"/>
425 <affects base="1.0.2" version="1.0.2i"/>
426 <affects base="1.0.2" version="1.0.2j"/>
427 <affects base="1.0.2" version="1.0.2k"/>
428 <affects base="1.0.2" version="1.0.2l"/>
429 <affects base="1.0.2" version="1.0.2m"/>
430 <affects base="1.0.2" version="1.0.2n"/>
431 <affects base="1.0.2" version="1.0.2o"/>
432 <affects base="1.0.2" version="1.0.2p"/>
433 <fixed base="1.1.0" version="1.1.0i" date="20180814">
434 <git hash="aab7c770353b1dc4ba045938c8fb446dd1c4531e"/>
436 <fixed base="1.0.2" version="1.0.2q" date="20181112">
437 <git hash="b18162a7c9bbfb57112459a4d6631fa258fd8c0cq"/>
439 <problemtype>Side Channel Attack</problemtype>
440 <title>Microarchitecture timing vulnerability in ECC scalar multiplication</title>
442 OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been shown
443 to be vulnerable to a microarchitecture timing side channel attack. An attacker
444 with sufficient access to mount local timing attacks during ECDSA signature
445 generation could recover the private key.
447 <advisory url="/news/secadv/20181112.txt"/>
448 <reported source="Alejandro Cabrera Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar Pereida Garcia and Nicola Tuveri"/>
450 <issue public="20181030">
451 <impact severity="Low"/>
452 <cve name="2018-0734"/>
453 <affects base="1.1.1" version="1.1.1"/>
454 <affects base="1.1.0" version="1.1.0"/>
455 <affects base="1.1.0" version="1.1.0a"/>
456 <affects base="1.1.0" version="1.1.0b"/>
457 <affects base="1.1.0" version="1.1.0c"/>
458 <affects base="1.1.0" version="1.1.0d"/>
459 <affects base="1.1.0" version="1.1.0e"/>
460 <affects base="1.1.0" version="1.1.0f"/>
461 <affects base="1.1.0" version="1.1.0g"/>
462 <affects base="1.1.0" version="1.1.0h"/>
463 <affects base="1.1.0" version="1.1.0i"/>
464 <affects base="1.0.2" version="1.0.2"/>
465 <affects base="1.0.2" version="1.0.2a"/>
466 <affects base="1.0.2" version="1.0.2b"/>
467 <affects base="1.0.2" version="1.0.2c"/>
468 <affects base="1.0.2" version="1.0.2d"/>
469 <affects base="1.0.2" version="1.0.2e"/>
470 <affects base="1.0.2" version="1.0.2f"/>
471 <affects base="1.0.2" version="1.0.2g"/>
472 <affects base="1.0.2" version="1.0.2h"/>
473 <affects base="1.0.2" version="1.0.2i"/>
474 <affects base="1.0.2" version="1.0.2j"/>
475 <affects base="1.0.2" version="1.0.2k"/>
476 <affects base="1.0.2" version="1.0.2l"/>
477 <affects base="1.0.2" version="1.0.2m"/>
478 <affects base="1.0.2" version="1.0.2n"/>
479 <affects base="1.0.2" version="1.0.2o"/>
480 <affects base="1.0.2" version="1.0.2p"/>
481 <fixed base="1.1.1" version="1.1.1a" date="20181029">
482 <git hash="8abfe72e8c1de1b95f50aa0d9134803b4d00070f"/>
484 <fixed base="1.1.0" version="1.1.0j" date="20181029">
485 <git hash="ef11e19d1365eea2b1851e6f540a0bf365d303e7"/>
487 <fixed base="1.0.2" version="1.0.2q" date="20181030">
488 <git hash="43e6a58d4991a451daf4891ff05a48735df871ac"/>
490 <problemtype>Constant time issue</problemtype>
491 <title>Timing attack against DSA</title>
493 The OpenSSL DSA signature algorithm has been shown to be vulnerable
494 to a timing side channel attack. An attacker could use variations
495 in the signing algorithm to recover the private key.
497 <advisory url="/news/secadv/20181030.txt"/>
498 <reported source="Samuel Weiser"/>
500 <issue public="20181029">
501 <impact severity="Low"/>
502 <cve name="2018-0735"/>
503 <affects base="1.1.1" version="1.1.1"/>
504 <affects base="1.1.0" version="1.1.0"/>
505 <affects base="1.1.0" version="1.1.0a"/>
506 <affects base="1.1.0" version="1.1.0b"/>
507 <affects base="1.1.0" version="1.1.0c"/>
508 <affects base="1.1.0" version="1.1.0d"/>
509 <affects base="1.1.0" version="1.1.0e"/>
510 <affects base="1.1.0" version="1.1.0f"/>
511 <affects base="1.1.0" version="1.1.0g"/>
512 <affects base="1.1.0" version="1.1.0h"/>
513 <affects base="1.1.0" version="1.1.0i"/>
514 <fixed base="1.1.0" version="1.1.0j" date="20181029">
515 <git hash="56fb454d281a023b3f950d969693553d3f3ceea1"/>
517 <fixed base="1.1.1" version="1.1.1a" date="20181029">
518 <git hash="b1d6d55ece1c26fa2829e2b819b038d7b6d692b4"/>
520 <problemtype>Constant time issue</problemtype>
521 <title>Timing attack against ECDSA signature generation</title>
523 The OpenSSL ECDSA signature algorithm has been shown to be
524 vulnerable to a timing side channel attack. An attacker could use
525 variations in the signing algorithm to recover the private key.
527 <advisory url="/news/secadv/20181029.txt"/>
528 <reported source="Samuel Weiser"/>
530 <issue public="20180612">
531 <impact severity="Low"/>
532 <cve name="2018-0732"/>
533 <affects base="1.1.0" version="1.1.0"/>
534 <affects base="1.1.0" version="1.1.0a"/>
535 <affects base="1.1.0" version="1.1.0b"/>
536 <affects base="1.1.0" version="1.1.0c"/>
537 <affects base="1.1.0" version="1.1.0d"/>
538 <affects base="1.1.0" version="1.1.0e"/>
539 <affects base="1.1.0" version="1.1.0f"/>
540 <affects base="1.1.0" version="1.1.0g"/>
541 <affects base="1.1.0" version="1.1.0h"/>
542 <affects base="1.0.2" version="1.0.2"/>
543 <affects base="1.0.2" version="1.0.2a"/>
544 <affects base="1.0.2" version="1.0.2b"/>
545 <affects base="1.0.2" version="1.0.2c"/>
546 <affects base="1.0.2" version="1.0.2d"/>
547 <affects base="1.0.2" version="1.0.2e"/>
548 <affects base="1.0.2" version="1.0.2f"/>
549 <affects base="1.0.2" version="1.0.2g"/>
550 <affects base="1.0.2" version="1.0.2h"/>
551 <affects base="1.0.2" version="1.0.2i"/>
552 <affects base="1.0.2" version="1.0.2j"/>
553 <affects base="1.0.2" version="1.0.2k"/>
554 <affects base="1.0.2" version="1.0.2l"/>
555 <affects base="1.0.2" version="1.0.2m"/>
556 <affects base="1.0.2" version="1.0.2n"/>
557 <affects base="1.0.2" version="1.0.2o"/>
558 <fixed base="1.1.0" version="1.1.0i" date="20180814">
559 <git hash="ea7abeeabf92b7aca160bdd0208636d4da69f4f4"/>
561 <fixed base="1.0.2" version="1.0.2p" date="20180814">
562 <git hash="3984ef0b72831da8b3ece4745cac4f8575b19098"/>
564 <problemtype>Client side Denial of Service</problemtype>
565 <title>Client DoS due to large DH parameter</title>
567 During key agreement in a TLS handshake using a DH(E) based ciphersuite
568 a malicious server can send a very large prime value to the client. This
569 will cause the client to spend an unreasonably long period of time
570 generating a key for this prime resulting in a hang until the client has
571 finished. This could be exploited in a Denial Of Service attack.
573 <advisory url="/news/secadv/20180612.txt"/>
574 <reported source="Guido Vranken"/>
576 <issue public="20180416">
577 <impact severity="Low"/>
578 <cve name="2018-0737"/>
579 <affects base="1.1.0" version="1.1.0"/>
580 <affects base="1.1.0" version="1.1.0a"/>
581 <affects base="1.1.0" version="1.1.0b"/>
582 <affects base="1.1.0" version="1.1.0c"/>
583 <affects base="1.1.0" version="1.1.0d"/>
584 <affects base="1.1.0" version="1.1.0e"/>
585 <affects base="1.1.0" version="1.1.0f"/>
586 <affects base="1.1.0" version="1.1.0g"/>
587 <affects base="1.1.0" version="1.1.0h"/>
588 <affects base="1.0.2" version="1.0.2"/>
589 <affects base="1.0.2" version="1.0.2a"/>
590 <affects base="1.0.2" version="1.0.2b"/>
591 <affects base="1.0.2" version="1.0.2c"/>
592 <affects base="1.0.2" version="1.0.2d"/>
593 <affects base="1.0.2" version="1.0.2e"/>
594 <affects base="1.0.2" version="1.0.2f"/>
595 <affects base="1.0.2" version="1.0.2g"/>
596 <affects base="1.0.2" version="1.0.2h"/>
597 <affects base="1.0.2" version="1.0.2i"/>
598 <affects base="1.0.2" version="1.0.2j"/>
599 <affects base="1.0.2" version="1.0.2k"/>
600 <affects base="1.0.2" version="1.0.2l"/>
601 <affects base="1.0.2" version="1.0.2m"/>
602 <affects base="1.0.2" version="1.0.2n"/>
603 <affects base="1.0.2" version="1.0.2o"/>
604 <fixed base="1.1.0" version="1.1.0i" date="20180814">
605 <git hash="6939eab03a6e23d2bd2c3f5e34fe1d48e542e787"/>
607 <fixed base="1.0.2" version="1.0.2p" date="20180814">
608 <git hash="349a41da1ad88ad87825414752a8ff5fdd6a6c3f"/>
610 <problemtype>Constant time issue</problemtype>
611 <title>Cache timing vulnerability in RSA Key Generation</title>
613 The OpenSSL RSA Key generation algorithm has been shown to be vulnerable
614 to a cache timing side channel attack. An attacker with sufficient access
615 to mount cache timing attacks during the RSA key generation process could
616 recover the private key.
618 <advisory url="/news/secadv/20180416.txt"/>
619 <reported source="Alejandro Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia"/>
621 <issue public="20180327">
622 <impact severity="Moderate"/>
623 <cve name="2018-0739"/>
624 <affects base="1.1.0" version="1.1.0"/>
625 <affects base="1.1.0" version="1.1.0a"/>
626 <affects base="1.1.0" version="1.1.0b"/>
627 <affects base="1.1.0" version="1.1.0c"/>
628 <affects base="1.1.0" version="1.1.0d"/>
629 <affects base="1.1.0" version="1.1.0e"/>
630 <affects base="1.1.0" version="1.1.0f"/>
631 <affects base="1.1.0" version="1.1.0g"/>
632 <affects base="1.0.2" version="1.0.2b"/>
633 <affects base="1.0.2" version="1.0.2c"/>
634 <affects base="1.0.2" version="1.0.2d"/>
635 <affects base="1.0.2" version="1.0.2e"/>
636 <affects base="1.0.2" version="1.0.2f"/>
637 <affects base="1.0.2" version="1.0.2g"/>
638 <affects base="1.0.2" version="1.0.2h"/>
639 <affects base="1.0.2" version="1.0.2i"/>
640 <affects base="1.0.2" version="1.0.2j"/>
641 <affects base="1.0.2" version="1.0.2k"/>
642 <affects base="1.0.2" version="1.0.2l"/>
643 <affects base="1.0.2" version="1.0.2m"/>
644 <affects base="1.0.2" version="1.0.2n"/>
645 <fixed base="1.1.0" version="1.1.0h" date="20180327">
646 <git hash="2ac4c6f7b2b2af20c0e2b0ba05367e454cd11b33"/>
648 <fixed base="1.0.2" version="1.0.2o" date="20180327">
649 <git hash="9310d45087ae546e27e61ddf8f6367f29848220d"/>
651 <problemtype>Stack overflow</problemtype>
652 <title>Constructed ASN.1 types with a recursive definition could exceed the stack</title>
654 Constructed ASN.1 types with a recursive definition (such as can be found
655 in PKCS7) could eventually exceed the stack given malicious input with
656 excessive recursion. This could result in a Denial Of Service attack.
657 There are no such structures used within SSL/TLS that come from untrusted
658 sources so this is considered safe.
660 <advisory url="/news/secadv/20180327.txt"/>
661 <reported source="OSS-fuzz"/>
663 <issue public="20180327">
664 <impact severity="Moderate"/>
665 <cve name="2018-0733"/>
666 <affects base="1.1.0" version="1.1.0"/>
667 <affects base="1.1.0" version="1.1.0a"/>
668 <affects base="1.1.0" version="1.1.0b"/>
669 <affects base="1.1.0" version="1.1.0c"/>
670 <affects base="1.1.0" version="1.1.0d"/>
671 <affects base="1.1.0" version="1.1.0e"/>
672 <affects base="1.1.0" version="1.1.0f"/>
673 <affects base="1.1.0" version="1.1.0g"/>
674 <fixed base="1.1.0" version="1.1.0h" date="20180327">
675 <git hash="56d5a4bfcaf37fa420aef2bb881aa55e61cf5f2f"/>
677 <problemtype>Message forgery</problemtype>
678 <title>Incorrect CRYPTO_memcmp on HP-UX PA-RISC</title>
680 Because of an implementation bug the PA-RISC CRYPTO_memcmp function is
681 effectively reduced to only comparing the least significant bit of each
682 byte. This allows an attacker to forge messages that would be considered
683 as authenticated in an amount of tries lower than that guaranteed by the
684 security claims of the scheme. The module can only be compiled by the
685 HP-UX assembler, so that only HP-UX PA-RISC targets are affected.
687 <advisory url="/news/secadv/20180327.txt"/>
688 <reported source="Peter Waltenberg (IBM)"/>
690 <issue public="20171207">
691 <impact severity="Moderate"/>
692 <cve name="2017-3737"/>
693 <affects base="1.0.2" version="1.0.2b"/>
694 <affects base="1.0.2" version="1.0.2c"/>
695 <affects base="1.0.2" version="1.0.2d"/>
696 <affects base="1.0.2" version="1.0.2e"/>
697 <affects base="1.0.2" version="1.0.2f"/>
698 <affects base="1.0.2" version="1.0.2g"/>
699 <affects base="1.0.2" version="1.0.2h"/>
700 <affects base="1.0.2" version="1.0.2i"/>
701 <affects base="1.0.2" version="1.0.2j"/>
702 <affects base="1.0.2" version="1.0.2k"/>
703 <affects base="1.0.2" version="1.0.2l"/>
704 <affects base="1.0.2" version="1.0.2m"/>
705 <fixed base="1.0.2" version="1.0.2n" date="20171207">
706 <git hash="898fb884b706aaeb283de4812340bb0bde8476dc"/>
708 <problemtype>Unauthenticated read/unencrypted write</problemtype>
709 <title>Read/write after SSL object in error state</title>
711 OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state"
712 mechanism. The intent was that if a fatal error occurred during a handshake then
713 OpenSSL would move into the error state and would immediately fail if you
714 attempted to continue the handshake. This works as designed for the explicit
715 handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()),
716 however due to a bug it does not work correctly if SSL_read() or SSL_write() is
717 called directly. In that scenario, if the handshake fails then a fatal error
718 will be returned in the initial function call. If SSL_read()/SSL_write() is
719 subsequently called by the application for the same SSL object then it will
720 succeed and the data is passed without being decrypted/encrypted directly from
721 the SSL/TLS record layer.
723 In order to exploit this issue an application bug would have to be present that
724 resulted in a call to SSL_read()/SSL_write() being issued after having already
725 received a fatal error.
727 <advisory url="/news/secadv/20171207.txt"/>
728 <reported source="David Benjamin (Google)"/>
730 <issue public="20171207">
731 <impact severity="Low"/>
732 <cve name="2017-3738"/>
733 <affects base="1.1.0" version="1.1.0"/>
734 <affects base="1.1.0" version="1.1.0a"/>
735 <affects base="1.1.0" version="1.1.0b"/>
736 <affects base="1.1.0" version="1.1.0c"/>
737 <affects base="1.1.0" version="1.1.0d"/>
738 <affects base="1.1.0" version="1.1.0e"/>
739 <affects base="1.1.0" version="1.1.0f"/>
740 <affects base="1.1.0" version="1.1.0g"/>
741 <affects base="1.0.2" version="1.0.2"/>
742 <affects base="1.0.2" version="1.0.2a"/>
743 <affects base="1.0.2" version="1.0.2b"/>
744 <affects base="1.0.2" version="1.0.2c"/>
745 <affects base="1.0.2" version="1.0.2d"/>
746 <affects base="1.0.2" version="1.0.2e"/>
747 <affects base="1.0.2" version="1.0.2f"/>
748 <affects base="1.0.2" version="1.0.2g"/>
749 <affects base="1.0.2" version="1.0.2h"/>
750 <affects base="1.0.2" version="1.0.2i"/>
751 <affects base="1.0.2" version="1.0.2j"/>
752 <affects base="1.0.2" version="1.0.2k"/>
753 <affects base="1.0.2" version="1.0.2l"/>
754 <affects base="1.0.2" version="1.0.2m"/>
755 <fixed base="1.0.2" version="1.0.2n" date="20171207">
756 <git hash="ca51bafc1a88d8b8348f5fd97adc5d6ca93f8e76"/>
758 <fixed base="1.1.0" version="1.1.0h" date="20180327">
759 <git hash="e502cc86df9dafded1694fceb3228ee34d11c11a"/>
761 <problemtype>carry-propagating bug</problemtype>
762 <title>bn_sqrx8x_internal carry bug on x86_64</title>
764 There is an overflow bug in the AVX2 Montgomery multiplication procedure
765 used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
766 Analysis suggests that attacks against RSA and DSA as a result of this defect
767 would be very difficult to perform and are not believed likely. Attacks
768 against DH1024 are considered just feasible, because most of the work
769 necessary to deduce information about a private key may be performed offline.
770 The amount of resources required for such an attack would be significant.
771 However, for an attack on TLS to be meaningful, the server would have to share
772 the DH1024 private key among multiple clients, which is no longer an option
775 This only affects processors that support the AVX2 but not ADX extensions
776 like Intel Haswell (4th generation).
778 Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732
781 Due to the low severity of this issue we are not issuing a new release of
782 OpenSSL 1.1.0 at this time. The fix will be included in OpenSSL 1.1.0h when it
783 becomes available. The fix is also available in commit e502cc86d in the OpenSSL
786 <advisory url="/news/secadv/20171207.txt"/>
787 <reported source="David Benjamin (Google)/Google OSS-Fuzz"/>
789 <issue public="20171102">
790 <impact severity="Moderate"/>
791 <cve name="2017-3736"/>
792 <affects base="1.1.0" version="1.1.0"/>
793 <affects base="1.1.0" version="1.1.0a"/>
794 <affects base="1.1.0" version="1.1.0b"/>
795 <affects base="1.1.0" version="1.1.0c"/>
796 <affects base="1.1.0" version="1.1.0d"/>
797 <affects base="1.1.0" version="1.1.0e"/>
798 <affects base="1.1.0" version="1.1.0f"/>
799 <affects base="1.0.2" version="1.0.2"/>
800 <affects base="1.0.2" version="1.0.2a"/>
801 <affects base="1.0.2" version="1.0.2b"/>
802 <affects base="1.0.2" version="1.0.2c"/>
803 <affects base="1.0.2" version="1.0.2d"/>
804 <affects base="1.0.2" version="1.0.2e"/>
805 <affects base="1.0.2" version="1.0.2f"/>
806 <affects base="1.0.2" version="1.0.2g"/>
807 <affects base="1.0.2" version="1.0.2h"/>
808 <affects base="1.0.2" version="1.0.2i"/>
809 <affects base="1.0.2" version="1.0.2j"/>
810 <affects base="1.0.2" version="1.0.2k"/>
811 <affects base="1.0.2" version="1.0.2l"/>
812 <fixed base="1.0.2" version="1.0.2m" date="20171102">
813 <git hash="38d600147331d36e74174ebbd4008b63188b321b"/>
815 <fixed base="1.1.0" version="1.1.0g" date="20171102">
816 <git hash="4443cf7aa0099e5ce615c18cee249fff77fb0871"/>
818 <problemtype>carry-propagating bug</problemtype>
819 <title>bn_sqrx8x_internal carry bug on x86_64</title>
821 There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No
822 EC algorithms are affected. Analysis suggests that attacks against RSA and DSA
823 as a result of this defect would be very difficult to perform and are not
824 believed likely. Attacks against DH are considered just feasible (although very
825 difficult) because most of the work necessary to deduce information
826 about a private key may be performed offline. The amount of resources
827 required for such an attack would be very significant and likely only
828 accessible to a limited number of attackers. An attacker would
829 additionally need online access to an unpatched system using the target
830 private key in a scenario with persistent DH parameters and a private
831 key that is shared between multiple clients.
833 This only affects processors that support the BMI1, BMI2 and ADX extensions like
834 Intel Broadwell (5th generation) and later or AMD Ryzen.
836 <advisory url="/news/secadv/20171102.txt"/>
837 <reported source="Google OSS-Fuzz"/>
839 <issue public="20170828">
840 <impact severity="Low"/>
841 <cve name="2017-3735"/>
842 <affects base="1.1.0" version="1.1.0"/>
843 <affects base="1.1.0" version="1.1.0a"/>
844 <affects base="1.1.0" version="1.1.0b"/>
845 <affects base="1.1.0" version="1.1.0c"/>
846 <affects base="1.1.0" version="1.1.0d"/>
847 <affects base="1.1.0" version="1.1.0e"/>
848 <affects base="1.1.0" version="1.1.0f"/>
849 <affects base="1.0.2" version="1.0.2"/>
850 <affects base="1.0.2" version="1.0.2a"/>
851 <affects base="1.0.2" version="1.0.2b"/>
852 <affects base="1.0.2" version="1.0.2c"/>
853 <affects base="1.0.2" version="1.0.2d"/>
854 <affects base="1.0.2" version="1.0.2e"/>
855 <affects base="1.0.2" version="1.0.2f"/>
856 <affects base="1.0.2" version="1.0.2g"/>
857 <affects base="1.0.2" version="1.0.2h"/>
858 <affects base="1.0.2" version="1.0.2i"/>
859 <affects base="1.0.2" version="1.0.2j"/>
860 <affects base="1.0.2" version="1.0.2k"/>
861 <affects base="1.0.2" version="1.0.2l"/>
862 <fixed base="1.0.2" version="1.0.2m" date="20171102">
863 <git hash="31c8b265591a0aaa462a1f3eb5770661aaac67db"/>
865 <fixed base="1.1.0" version="1.1.0g" date="20171102">
866 <git hash="068b963bb7afc57f5bdd723de0dd15e7795d5822"/>
868 <problemtype>out-of-bounds read</problemtype>
869 <title>Possible Overread in parsing X.509 IPAdressFamily</title>
871 While parsing an IPAdressFamily extension in an X.509 certificate,
872 it is possible to do a one-byte overread. This would result in
873 an incorrect text display of the certificate.
875 <advisory url="/news/secadv/20170828.txt"/>
876 <reported source="Google OSS-Fuzz"/>
878 <issue public="20170216">
879 <impact severity="High"/>
880 <cve name="2017-3733"/>
881 <affects base="1.1.0" version="1.1.0"/>
882 <affects base="1.1.0" version="1.1.0a"/>
883 <affects base="1.1.0" version="1.1.0b"/>
884 <affects base="1.1.0" version="1.1.0c"/>
885 <affects base="1.1.0" version="1.1.0d"/>
886 <fixed base="1.1.0" version="1.1.0e" date="20170216">
887 <git hash="4ad93618d26a3ea23d36ad5498ff4f59eff3a4d2"/>
889 <problemtype>protocol error</problemtype>
890 <title>Encrypt-Then-Mac renegotiation crash</title>
892 During a renegotiation handshake if the Encrypt-Then-Mac extension is
893 negotiated where it was not in the original handshake (or vice-versa) then
894 this can cause OpenSSL to crash (dependent on ciphersuite). Both clients
895 and servers are affected.
897 <advisory url="/news/secadv/20170216.txt"/>
898 <reported source="Joe Orton (Red Hat)" />
900 <issue public="20170126">
901 <impact severity="Moderate"/>
902 <cve name="2017-3731"/>
903 <affects base="1.1.0" version="1.1.0"/>
904 <affects base="1.1.0" version="1.1.0a"/>
905 <affects base="1.1.0" version="1.1.0b"/>
906 <affects base="1.1.0" version="1.1.0c"/>
907 <affects base="1.0.2" version="1.0.2"/>
908 <affects base="1.0.2" version="1.0.2a"/>
909 <affects base="1.0.2" version="1.0.2b"/>
910 <affects base="1.0.2" version="1.0.2c"/>
911 <affects base="1.0.2" version="1.0.2d"/>
912 <affects base="1.0.2" version="1.0.2e"/>
913 <affects base="1.0.2" version="1.0.2f"/>
914 <affects base="1.0.2" version="1.0.2g"/>
915 <affects base="1.0.2" version="1.0.2h"/>
916 <affects base="1.0.2" version="1.0.2i"/>
917 <affects base="1.0.2" version="1.0.2j"/>
918 <fixed base="1.1.0" version="1.1.0d" date="20170126">
919 <git hash="00d965474b22b54e4275232bc71ee0c699c5cd21"/>
921 <fixed base="1.0.2" version="1.0.2k" date="20170126">
922 <git hash="51d009043670a627d6abe66894126851cf3690e9"/>
924 <problemtype>out-of-bounds read</problemtype>
925 <title>Truncated packet could crash via OOB read</title>
927 If an SSL/TLS server or client is running on a 32-bit host, and a specific
928 cipher is being used, then a truncated packet can cause that server or
929 client to perform an out-of-bounds read, usually resulting in a crash.
931 For OpenSSL 1.1.0, the crash can be triggered when using
932 CHACHA20/POLY1305; users should upgrade to 1.1.0d.
934 For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users
935 who have not disabled that algorithm should update to 1.0.2k
937 <advisory url="/news/secadv/20170126.txt"/>
938 <reported source="Robert Święcki of Google" />
940 <issue public="20170126">
941 <impact severity="Moderate"/>
942 <cve name="2017-3730"/>
943 <affects base="1.1.0" version="1.1.0"/>
944 <affects base="1.1.0" version="1.1.0a"/>
945 <affects base="1.1.0" version="1.1.0b"/>
946 <affects base="1.1.0" version="1.1.0c"/>
947 <fixed base="1.1.0" version="1.1.0d" date="20170126">
948 <git hash="efbe126e3ebb9123ac9d058aa2bb044261342aaa"/>
950 <problemtype>NULL pointer deference</problemtype>
951 <title>Bad (EC)DHE parameters cause a client crash</title>
953 If a malicious server supplies bad parameters for a DHE or ECDHE key
954 exchange then this can result in the client attempting to dereference a
955 NULL pointer leading to a client crash. This could be exploited in a
956 Denial of Service attack.
958 <advisory url="/news/secadv/20170126.txt"/>
959 <reported source="Guido Vranken" />
961 <issue public="20170126">
962 <impact severity="Moderate"/>
963 <cve name="2017-3732"/>
964 <affects base="1.1.0" version="1.1.0"/>
965 <affects base="1.1.0" version="1.1.0a"/>
966 <affects base="1.1.0" version="1.1.0b"/>
967 <affects base="1.1.0" version="1.1.0c"/>
968 <affects base="1.0.2" version="1.0.2"/>
969 <affects base="1.0.2" version="1.0.2a"/>
970 <affects base="1.0.2" version="1.0.2b"/>
971 <affects base="1.0.2" version="1.0.2c"/>
972 <affects base="1.0.2" version="1.0.2d"/>
973 <affects base="1.0.2" version="1.0.2e"/>
974 <affects base="1.0.2" version="1.0.2f"/>
975 <affects base="1.0.2" version="1.0.2g"/>
976 <affects base="1.0.2" version="1.0.2h"/>
977 <affects base="1.0.2" version="1.0.2i"/>
978 <affects base="1.0.2" version="1.0.2j"/>
979 <fixed base="1.1.0" version="1.1.0d" date="20170126">
980 <git hash="a59b90bf491410f1f2bc4540cc21f1980fd14c5b"/>
982 <fixed base="1.0.2" version="1.0.2k" date="20170126">
983 <git hash="760d04342a495ee86bf5adc71a91d126af64397f"/>
985 <problemtype>carry-propagating bug</problemtype>
986 <title>BN_mod_exp may produce incorrect results on x86_64</title>
988 There is a carry propagating bug in the x86_64 Montgomery squaring
989 procedure. No EC algorithms are affected. Analysis suggests that attacks
990 against RSA and DSA as a result of this defect would be very difficult to
991 perform and are not believed likely. Attacks against DH are considered
992 just feasible (although very difficult) because most of the work necessary
993 to deduce information about a private key may be performed offline. The
994 amount of resources required for such an attack would be very significant
995 and likely only accessible to a limited number of attackers. An attacker
996 would additionally need online access to an unpatched system using the
997 target private key in a scenario with persistent DH parameters and a
998 private key that is shared between multiple clients. For example this can
999 occur by default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This
1000 issue is very similar to CVE-2015-3193 but must be treated as a separate
1003 <advisory url="/news/secadv/20170126.txt"/>
1004 <reported source="OSS-Fuzz project" />
1006 <issue public="20161110">
1007 <impact severity="High"/>
1008 <cve name="2016-7054"/>
1009 <affects base="1.1.0" version="1.1.0"/>
1010 <affects base="1.1.0" version="1.1.0a"/>
1011 <affects base="1.1.0" version="1.1.0b"/>
1012 <fixed base="1.1.0" version="1.1.0c" date="20161110">
1013 <git hash="99d97842ddb5fbbbfb5e9820a64ebd19afe569f6"/>
1015 <problemtype>protocol error</problemtype>
1016 <title>ChaCha20/Poly1305 heap-buffer-overflow</title>
1018 TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to
1019 a DoS attack by corrupting larger payloads. This can result in an OpenSSL
1020 crash. This issue is not considered to be exploitable beyond a DoS.
1022 <advisory url="/news/secadv/20161110.txt"/>
1023 <reported source="Robert Święcki (Google Security Team)" date="20160925"/>
1025 <issue public="20161110">
1026 <impact severity="Moderate"/>
1027 <cve name="2016-7053"/>
1028 <affects base="1.1.0" version="1.1.0"/>
1029 <affects base="1.1.0" version="1.1.0a"/>
1030 <affects base="1.1.0" version="1.1.0b"/>
1031 <fixed base="1.1.0" version="1.1.0c" date="20161110">
1032 <git hash="610b66267e41a32805ab54cbc580c5a6d5826cb4"/>
1034 <problemtype>NULL pointer deference</problemtype>
1035 <title>CMS Null dereference</title>
1037 Applications parsing invalid CMS structures can crash with a NULL pointer
1038 dereference. This is caused by a bug in the handling of the ASN.1 CHOICE
1039 type in OpenSSL 1.1.0 which can result in a NULL value being passed to the
1040 structure callback if an attempt is made to free certain invalid
1041 encodings. Only CHOICE structures using a callback which do not handle
1042 NULL value are affected.
1044 <advisory url="/news/secadv/20161110.txt"/>
1045 <reported source="Tyler Nighswander (ForAllSecure)" date="20161012"/>
1047 <issue public="20161110">
1048 <impact severity="Low"/>
1049 <cve name="2016-7055"/>
1050 <affects base="1.1.0" version="1.1.0"/>
1051 <affects base="1.1.0" version="1.1.0a"/>
1052 <affects base="1.1.0" version="1.1.0b"/>
1053 <affects base="1.0.2" version="1.0.2"/>
1054 <affects base="1.0.2" version="1.0.2a"/>
1055 <affects base="1.0.2" version="1.0.2b"/>
1056 <affects base="1.0.2" version="1.0.2c"/>
1057 <affects base="1.0.2" version="1.0.2d"/>
1058 <affects base="1.0.2" version="1.0.2e"/>
1059 <affects base="1.0.2" version="1.0.2f"/>
1060 <affects base="1.0.2" version="1.0.2g"/>
1061 <affects base="1.0.2" version="1.0.2h"/>
1062 <affects base="1.0.2" version="1.0.2i"/>
1063 <affects base="1.0.2" version="1.0.2j"/>
1064 <fixed base="1.1.0" version="1.1.0c" date="20161110">
1065 <git hash="2a7dd548a6f5d6f7f84a89c98323b70a2822406e"/>
1067 <fixed base="1.0.2" version="1.0.2k" date="20170126">
1068 <git hash="57c4b9f6a2f800b41ce2836986fe33640f6c3f8a"/>
1070 <problemtype>carry propagating bug</problemtype>
1071 <title>Montgomery multiplication may produce incorrect results</title>
1073 There is a carry propagating bug in the Broadwell-specific Montgomery
1074 multiplication procedure that handles input lengths divisible by, but
1075 longer than 256 bits. Analysis suggests that attacks against RSA, DSA
1076 and DH private keys are impossible. This is because the subroutine in
1077 question is not used in operations with the private key itself and an
1078 input of the attacker's direct choice. Otherwise the bug can manifest
1079 itself as transient authentication and key negotiation failures or
1080 reproducible erroneous outcome of public-key operations with specially
1081 crafted input. Among EC algorithms only Brainpool P-512 curves are
1082 affected and one presumably can attack ECDH key negotiation. Impact was
1083 not analyzed in detail, because pre-requisites for attack are considered
1084 unlikely. Namely multiple clients have to choose the curve in question and
1085 the server has to share the private key among them, neither of which is
1086 default behaviour. Even then only clients that chose the curve will be
1089 <advisory url="/news/secadv/20161110.txt"/>
1090 <reported source="Publicly reported" />
1092 <issue public="20160926">
1093 <impact severity="Critical"/>
1094 <cve name="2016-6309"/>
1095 <affects base="1.1.0" version="1.1.0a"/>
1096 <fixed base="1.1.0" version="1.1.0b" date="20160926">
1097 <git hash="acacbfa7565c78d2273c0b2a2e5e803f44afefeb"/>
1100 <problemtype>write to free</problemtype>
1102 This issue only affects OpenSSL 1.1.0a, released on 22nd September 2016.
1104 The patch applied to address CVE-2016-6307 resulted in an issue where if a
1105 message larger than approx 16k is received then the underlying buffer to store
1106 the incoming message is reallocated and moved. Unfortunately a dangling pointer
1107 to the old location is left which results in an attempt to write to the
1108 previously freed location. This is likely to result in a crash, however it
1109 could potentially lead to execution of arbitrary code.
1111 <advisory url="/news/secadv/20160926.txt"/>
1112 <reported source="Robert Święcki (Google Security Team)" date="20160923"/>
1114 <issue public="20160926">
1115 <impact severity="Moderate"/>
1116 <cve name="2016-7052"/>
1117 <affects base="1.0.2" version="1.0.2i"/>
1118 <fixed base="1.0.2" version="1.0.2j" date="20160926">
1119 <git hash="6e629b5be45face20b4ca71c4fcbfed78b864a2e"/>
1121 <problemtype>NULL pointer exception</problemtype>
1123 This issue only affects OpenSSL 1.0.2i, released on 22nd September 2016.
1125 A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0
1126 but was omitted from OpenSSL 1.0.2i. As a result any attempt to use
1127 CRLs in OpenSSL 1.0.2i will crash with a null pointer exception.
1129 <advisory url="/news/secadv/20160926.txt"/>
1130 <reported source="Bruce Stephens and Thomas Jakobi" date="20160922"/>
1132 <issue public="20160922">
1133 <impact severity="High"/>
1134 <cve name="2016-6304"/>
1135 <affects base="1.0.1" version="1.0.1"/>
1136 <affects base="1.0.1" version="1.0.1a"/>
1137 <affects base="1.0.1" version="1.0.1b"/>
1138 <affects base="1.0.1" version="1.0.1c"/>
1139 <affects base="1.0.1" version="1.0.1d"/>
1140 <affects base="1.0.1" version="1.0.1e"/>
1141 <affects base="1.0.1" version="1.0.1f"/>
1142 <affects base="1.0.1" version="1.0.1g"/>
1143 <affects base="1.0.1" version="1.0.1h"/>
1144 <affects base="1.0.1" version="1.0.1i"/>
1145 <affects base="1.0.1" version="1.0.1j"/>
1146 <affects base="1.0.1" version="1.0.1k"/>
1147 <affects base="1.0.1" version="1.0.1l"/>
1148 <affects base="1.0.1" version="1.0.1m"/>
1149 <affects base="1.0.1" version="1.0.1n"/>
1150 <affects base="1.0.1" version="1.0.1o"/>
1151 <affects base="1.0.1" version="1.0.1p"/>
1152 <affects base="1.0.1" version="1.0.1q"/>
1153 <affects base="1.0.1" version="1.0.1r"/>
1154 <affects base="1.0.1" version="1.0.1s"/>
1155 <affects base="1.0.1" version="1.0.1t"/>
1156 <affects base="1.0.2" version="1.0.2"/>
1157 <affects base="1.0.2" version="1.0.2a"/>
1158 <affects base="1.0.2" version="1.0.2b"/>
1159 <affects base="1.0.2" version="1.0.2c"/>
1160 <affects base="1.0.2" version="1.0.2d"/>
1161 <affects base="1.0.2" version="1.0.2e"/>
1162 <affects base="1.0.2" version="1.0.2f"/>
1163 <affects base="1.0.2" version="1.0.2g"/>
1164 <affects base="1.0.2" version="1.0.2h"/>
1165 <affects base="1.1.0" version="1.1.0"/>
1166 <fixed base="1.0.1" version="1.0.1u" date="20160922">
1167 <git hash="2c0d295e26306e15a92eb23a84a1802005c1c137"/>
1169 <fixed base="1.0.2" version="1.0.2i" date="20160922">
1170 <git hash="ea39b16b71e4e72a228a4535bd6d6a02c5edbc1f"/>
1172 <fixed base="1.1.0" version="1.1.0a" date="20160922">
1173 <git hash="a59ab1c4dd27a4c7c6e88f3c33747532fd144412"/>
1176 <problemtype>memory leak</problemtype>
1178 A malicious client can send an excessively large OCSP Status Request extension.
1179 If that client continually requests renegotiation, sending a large OCSP Status
1180 Request extension each time, then there will be unbounded memory growth on the
1181 server. This will eventually lead to a Denial Of Service attack through memory
1182 exhaustion. Servers with a default configuration are vulnerable even if they do
1183 not support OCSP. Builds using the "no-ocsp" build time option are not affected.
1185 Servers using OpenSSL versions prior to 1.0.1g are not vulnerable in a default
1186 configuration, instead only if an application explicitly enables OCSP stapling
1189 <advisory url="/news/secadv/20160922.txt"/>
1190 <reported source="Shi Lei (Gear Team, Qihoo 360 Inc.)" date="20160829"/>
1192 <issue public="20160922">
1193 <impact severity="Moderate"/>
1194 <cve name="2016-6305"/>
1195 <affects base="1.1.0" version="1.1.0"/>
1196 <fixed base="1.1.0" version="1.1.0a" date="20160922">
1197 <git hash="63658103d4441924f8dbfc517b99bb54758a98b9"/>
1201 OpenSSL 1.1.0 SSL/TLS will hang during a call to SSL_peek() if the peer sends an
1202 empty record. This could be exploited by a malicious peer in a Denial Of Service
1205 <advisory url="/news/secadv/20160922.txt"/>
1206 <reported source="Alex Gaynor" date="20160910"/>
1208 <issue public="20160824">
1209 <impact severity="Low"/>
1210 <cve name="2016-6303"/>
1211 <affects base="1.0.1" version="1.0.1"/>
1212 <affects base="1.0.1" version="1.0.1a"/>
1213 <affects base="1.0.1" version="1.0.1b"/>
1214 <affects base="1.0.1" version="1.0.1c"/>
1215 <affects base="1.0.1" version="1.0.1d"/>
1216 <affects base="1.0.1" version="1.0.1e"/>
1217 <affects base="1.0.1" version="1.0.1f"/>
1218 <affects base="1.0.1" version="1.0.1g"/>
1219 <affects base="1.0.1" version="1.0.1h"/>
1220 <affects base="1.0.1" version="1.0.1i"/>
1221 <affects base="1.0.1" version="1.0.1j"/>
1222 <affects base="1.0.1" version="1.0.1k"/>
1223 <affects base="1.0.1" version="1.0.1l"/>
1224 <affects base="1.0.1" version="1.0.1m"/>
1225 <affects base="1.0.1" version="1.0.1n"/>
1226 <affects base="1.0.1" version="1.0.1o"/>
1227 <affects base="1.0.1" version="1.0.1p"/>
1228 <affects base="1.0.1" version="1.0.1q"/>
1229 <affects base="1.0.1" version="1.0.1r"/>
1230 <affects base="1.0.1" version="1.0.1s"/>
1231 <affects base="1.0.1" version="1.0.1t"/>
1232 <affects base="1.0.2" version="1.0.2"/>
1233 <affects base="1.0.2" version="1.0.2a"/>
1234 <affects base="1.0.2" version="1.0.2b"/>
1235 <affects base="1.0.2" version="1.0.2c"/>
1236 <affects base="1.0.2" version="1.0.2d"/>
1237 <affects base="1.0.2" version="1.0.2e"/>
1238 <affects base="1.0.2" version="1.0.2f"/>
1239 <affects base="1.0.2" version="1.0.2g"/>
1240 <affects base="1.0.2" version="1.0.2h"/>
1241 <fixed base="1.0.1" version="1.0.1u" date="20160922">
1242 <git hash="2b4029e68fd7002d2307e6c3cde0f3784eef9c83"/>
1244 <fixed base="1.0.2" version="1.0.2i" date="20160922">
1245 <git hash="1027ad4f34c30b8585592764b9a670ba36888269"/>
1249 An overflow can occur in MDC2_Update() either if called directly or
1250 through the EVP_DigestUpdate() function using MDC2. If an attacker
1251 is able to supply very large amounts of input data after a previous
1252 call to EVP_EncryptUpdate() with a partial block then a length check
1253 can overflow resulting in a heap corruption.
1255 The amount of data needed is comparable to SIZE_MAX which is impractical
1258 <advisory url="/news/secadv/20160922.txt"/>
1259 <reported source="Shi Lei (Gear Team, Qihoo 360 Inc.)" date="20160811"/>
1261 <issue public="20160823">
1262 <impact severity="Low"/>
1263 <cve name="2016-6302"/>
1264 <affects base="1.0.1" version="1.0.1"/>
1265 <affects base="1.0.1" version="1.0.1a"/>
1266 <affects base="1.0.1" version="1.0.1b"/>
1267 <affects base="1.0.1" version="1.0.1c"/>
1268 <affects base="1.0.1" version="1.0.1d"/>
1269 <affects base="1.0.1" version="1.0.1e"/>
1270 <affects base="1.0.1" version="1.0.1f"/>
1271 <affects base="1.0.1" version="1.0.1g"/>
1272 <affects base="1.0.1" version="1.0.1h"/>
1273 <affects base="1.0.1" version="1.0.1i"/>
1274 <affects base="1.0.1" version="1.0.1j"/>
1275 <affects base="1.0.1" version="1.0.1k"/>
1276 <affects base="1.0.1" version="1.0.1l"/>
1277 <affects base="1.0.1" version="1.0.1m"/>
1278 <affects base="1.0.1" version="1.0.1n"/>
1279 <affects base="1.0.1" version="1.0.1o"/>
1280 <affects base="1.0.1" version="1.0.1p"/>
1281 <affects base="1.0.1" version="1.0.1q"/>
1282 <affects base="1.0.1" version="1.0.1r"/>
1283 <affects base="1.0.1" version="1.0.1s"/>
1284 <affects base="1.0.1" version="1.0.1t"/>
1285 <affects base="1.0.2" version="1.0.2"/>
1286 <affects base="1.0.2" version="1.0.2a"/>
1287 <affects base="1.0.2" version="1.0.2b"/>
1288 <affects base="1.0.2" version="1.0.2c"/>
1289 <affects base="1.0.2" version="1.0.2d"/>
1290 <affects base="1.0.2" version="1.0.2e"/>
1291 <affects base="1.0.2" version="1.0.2f"/>
1292 <affects base="1.0.2" version="1.0.2g"/>
1293 <affects base="1.0.2" version="1.0.2h"/>
1294 <fixed base="1.0.1" version="1.0.1u" date="20160922">
1295 <git hash="1bbe48ab149893a78bf99c8eb8895c928900a16f"/>
1297 <fixed base="1.0.2" version="1.0.2i" date="20160922">
1298 <git hash="baaabfd8fdcec04a691695fad9a664bea43202b6"/>
1302 If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a
1303 DoS attack where a malformed ticket will result in an OOB read which will
1306 The use of SHA512 in TLS session tickets is comparatively rare as it requires
1307 a custom server callback and ticket lookup mechanism.
1309 <advisory url="/news/secadv/20160922.txt"/>
1310 <reported source="Shi Lei (Gear Team, Qihoo 360 Inc.)" date="20160819"/>
1312 <issue public="20160816">
1313 <impact severity="Low"/>
1314 <cve name="2016-2182"/>
1315 <affects base="1.0.1" version="1.0.1"/>
1316 <affects base="1.0.1" version="1.0.1a"/>
1317 <affects base="1.0.1" version="1.0.1b"/>
1318 <affects base="1.0.1" version="1.0.1c"/>
1319 <affects base="1.0.1" version="1.0.1d"/>
1320 <affects base="1.0.1" version="1.0.1e"/>
1321 <affects base="1.0.1" version="1.0.1f"/>
1322 <affects base="1.0.1" version="1.0.1g"/>
1323 <affects base="1.0.1" version="1.0.1h"/>
1324 <affects base="1.0.1" version="1.0.1i"/>
1325 <affects base="1.0.1" version="1.0.1j"/>
1326 <affects base="1.0.1" version="1.0.1k"/>
1327 <affects base="1.0.1" version="1.0.1l"/>
1328 <affects base="1.0.1" version="1.0.1m"/>
1329 <affects base="1.0.1" version="1.0.1n"/>
1330 <affects base="1.0.1" version="1.0.1o"/>
1331 <affects base="1.0.1" version="1.0.1p"/>
1332 <affects base="1.0.1" version="1.0.1q"/>
1333 <affects base="1.0.1" version="1.0.1r"/>
1334 <affects base="1.0.1" version="1.0.1s"/>
1335 <affects base="1.0.1" version="1.0.1t"/>
1336 <affects base="1.0.2" version="1.0.2"/>
1337 <affects base="1.0.2" version="1.0.2a"/>
1338 <affects base="1.0.2" version="1.0.2b"/>
1339 <affects base="1.0.2" version="1.0.2c"/>
1340 <affects base="1.0.2" version="1.0.2d"/>
1341 <affects base="1.0.2" version="1.0.2e"/>
1342 <affects base="1.0.2" version="1.0.2f"/>
1343 <affects base="1.0.2" version="1.0.2g"/>
1344 <affects base="1.0.2" version="1.0.2h"/>
1345 <fixed base="1.0.1" version="1.0.1u" date="20160922"/>
1346 <fixed base="1.0.2" version="1.0.2i" date="20160922"/>
1349 The function BN_bn2dec() does not check the return value of BN_div_word().
1350 This can cause an OOB write if an application uses this function with an
1351 overly large BIGNUM. This could be a problem if an overly large certificate
1352 or CRL is printed out from an untrusted source. TLS is not affected because
1353 record limits will reject an oversized certificate before it is parsed.
1355 <advisory url="/news/secadv/20160922.txt"/>
1356 <reported source="Shi Lei (Gear Team, Qihoo 360 Inc.)" date="20160802"/>
1358 <issue public="20160722">
1359 <impact severity="Low"/>
1360 <cve name="2016-2180"/>
1361 <affects base="1.0.1" version="1.0.1"/>
1362 <affects base="1.0.1" version="1.0.1a"/>
1363 <affects base="1.0.1" version="1.0.1b"/>
1364 <affects base="1.0.1" version="1.0.1c"/>
1365 <affects base="1.0.1" version="1.0.1d"/>
1366 <affects base="1.0.1" version="1.0.1e"/>
1367 <affects base="1.0.1" version="1.0.1f"/>
1368 <affects base="1.0.1" version="1.0.1g"/>
1369 <affects base="1.0.1" version="1.0.1h"/>
1370 <affects base="1.0.1" version="1.0.1i"/>
1371 <affects base="1.0.1" version="1.0.1j"/>
1372 <affects base="1.0.1" version="1.0.1k"/>
1373 <affects base="1.0.1" version="1.0.1l"/>
1374 <affects base="1.0.1" version="1.0.1m"/>
1375 <affects base="1.0.1" version="1.0.1n"/>
1376 <affects base="1.0.1" version="1.0.1o"/>
1377 <affects base="1.0.1" version="1.0.1p"/>
1378 <affects base="1.0.1" version="1.0.1q"/>
1379 <affects base="1.0.1" version="1.0.1r"/>
1380 <affects base="1.0.1" version="1.0.1s"/>
1381 <affects base="1.0.1" version="1.0.1t"/>
1382 <affects base="1.0.2" version="1.0.2"/>
1383 <affects base="1.0.2" version="1.0.2a"/>
1384 <affects base="1.0.2" version="1.0.2b"/>
1385 <affects base="1.0.2" version="1.0.2c"/>
1386 <affects base="1.0.2" version="1.0.2d"/>
1387 <affects base="1.0.2" version="1.0.2e"/>
1388 <affects base="1.0.2" version="1.0.2f"/>
1389 <affects base="1.0.2" version="1.0.2g"/>
1390 <affects base="1.0.2" version="1.0.2h"/>
1391 <fixed base="1.0.1" version="1.0.1u" date="20160922"/>
1392 <fixed base="1.0.2" version="1.0.2i" date="20160922"/>
1395 The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value is
1396 the total length the OID text representation would use and not the amount
1397 of data written. This will result in OOB reads when large OIDs are presented.
1399 <advisory url="/news/secadv/20160922.txt"/>
1400 <reported source="Shi Lei (Gear Team, Qihoo 360 Inc.)" date="20160721"/>
1402 <issue public="20160601">
1403 <impact severity="Low"/>
1404 <cve name="2016-2177"/>
1405 <affects base="1.0.1" version="1.0.1"/>
1406 <affects base="1.0.1" version="1.0.1a"/>
1407 <affects base="1.0.1" version="1.0.1b"/>
1408 <affects base="1.0.1" version="1.0.1c"/>
1409 <affects base="1.0.1" version="1.0.1d"/>
1410 <affects base="1.0.1" version="1.0.1e"/>
1411 <affects base="1.0.1" version="1.0.1f"/>
1412 <affects base="1.0.1" version="1.0.1g"/>
1413 <affects base="1.0.1" version="1.0.1h"/>
1414 <affects base="1.0.1" version="1.0.1i"/>
1415 <affects base="1.0.1" version="1.0.1j"/>
1416 <affects base="1.0.1" version="1.0.1k"/>
1417 <affects base="1.0.1" version="1.0.1l"/>
1418 <affects base="1.0.1" version="1.0.1m"/>
1419 <affects base="1.0.1" version="1.0.1n"/>
1420 <affects base="1.0.1" version="1.0.1o"/>
1421 <affects base="1.0.1" version="1.0.1p"/>
1422 <affects base="1.0.1" version="1.0.1q"/>
1423 <affects base="1.0.1" version="1.0.1r"/>
1424 <affects base="1.0.1" version="1.0.1s"/>
1425 <affects base="1.0.1" version="1.0.1t"/>
1426 <affects base="1.0.2" version="1.0.2"/>
1427 <affects base="1.0.2" version="1.0.2a"/>
1428 <affects base="1.0.2" version="1.0.2b"/>
1429 <affects base="1.0.2" version="1.0.2c"/>
1430 <affects base="1.0.2" version="1.0.2d"/>
1431 <affects base="1.0.2" version="1.0.2e"/>
1432 <affects base="1.0.2" version="1.0.2f"/>
1433 <affects base="1.0.2" version="1.0.2g"/>
1434 <affects base="1.0.2" version="1.0.2h"/>
1435 <fixed base="1.0.1" version="1.0.1u" date="20160922"/>
1436 <fixed base="1.0.2" version="1.0.2i" date="20160922"/>
1439 Avoid some undefined pointer arithmetic
1441 A common idiom in the codebase is to check limits in the following manner:
1442 "p + len > limit"
1444 Where "p" points to some malloc'd data of SIZE bytes and
1447 "len" here could be from some externally supplied data (e.g. from a TLS
1450 The rules of C pointer arithmetic are such that "p + len" is only well
1451 defined where len <= SIZE. Therefore the above idiom is actually
1452 undefined behaviour.
1454 For example this could cause problems if some malloc implementation
1455 provides an address for "p" such that "p + len" actually overflows for
1456 values of len that are too big and therefore p + len < limit.
1458 <advisory url="/news/secadv/20160922.txt"/>
1459 <reported source="Guido Vranken" date="20160504"/>
1461 <issue public="20160607">
1462 <impact severity="Low"/>
1463 <cve name="2016-2178"/>
1464 <affects base="1.0.1" version="1.0.1"/>
1465 <affects base="1.0.1" version="1.0.1a"/>
1466 <affects base="1.0.1" version="1.0.1b"/>
1467 <affects base="1.0.1" version="1.0.1c"/>
1468 <affects base="1.0.1" version="1.0.1d"/>
1469 <affects base="1.0.1" version="1.0.1e"/>
1470 <affects base="1.0.1" version="1.0.1f"/>
1471 <affects base="1.0.1" version="1.0.1g"/>
1472 <affects base="1.0.1" version="1.0.1h"/>
1473 <affects base="1.0.1" version="1.0.1i"/>
1474 <affects base="1.0.1" version="1.0.1j"/>
1475 <affects base="1.0.1" version="1.0.1k"/>
1476 <affects base="1.0.1" version="1.0.1l"/>
1477 <affects base="1.0.1" version="1.0.1m"/>
1478 <affects base="1.0.1" version="1.0.1n"/>
1479 <affects base="1.0.1" version="1.0.1o"/>
1480 <affects base="1.0.1" version="1.0.1p"/>
1481 <affects base="1.0.1" version="1.0.1q"/>
1482 <affects base="1.0.1" version="1.0.1r"/>
1483 <affects base="1.0.1" version="1.0.1s"/>
1484 <affects base="1.0.1" version="1.0.1t"/>
1485 <affects base="1.0.2" version="1.0.2"/>
1486 <affects base="1.0.2" version="1.0.2a"/>
1487 <affects base="1.0.2" version="1.0.2b"/>
1488 <affects base="1.0.2" version="1.0.2c"/>
1489 <affects base="1.0.2" version="1.0.2d"/>
1490 <affects base="1.0.2" version="1.0.2e"/>
1491 <affects base="1.0.2" version="1.0.2f"/>
1492 <affects base="1.0.2" version="1.0.2g"/>
1493 <affects base="1.0.2" version="1.0.2h"/>
1494 <fixed base="1.0.1" version="1.0.1u" date="20160922"/>
1495 <fixed base="1.0.2" version="1.0.2i" date="20160922"/>
1498 Operations in the DSA signing algorithm should run in constant time in order to
1499 avoid side channel attacks. A flaw in the OpenSSL DSA implementation means that
1500 a non-constant time codepath is followed for certain operations. This has been
1501 demonstrated through a cache-timing attack to be sufficient for an attacker to
1502 recover the private DSA key.
1504 <advisory url="/news/secadv/20160922.txt"/>
1505 <reported source="César Pereida (Aalto University), Billy Brumley (Tampere University of Technology), and Yuval Yarom (The University of Adelaide and NICTA)" date="20160523"/>
1507 <issue public="20160822">
1508 <impact severity="Low"/>
1509 <cve name="2016-2179"/>
1510 <affects base="1.0.1" version="1.0.1"/>
1511 <affects base="1.0.1" version="1.0.1a"/>
1512 <affects base="1.0.1" version="1.0.1b"/>
1513 <affects base="1.0.1" version="1.0.1c"/>
1514 <affects base="1.0.1" version="1.0.1d"/>
1515 <affects base="1.0.1" version="1.0.1e"/>
1516 <affects base="1.0.1" version="1.0.1f"/>
1517 <affects base="1.0.1" version="1.0.1g"/>
1518 <affects base="1.0.1" version="1.0.1h"/>
1519 <affects base="1.0.1" version="1.0.1i"/>
1520 <affects base="1.0.1" version="1.0.1j"/>
1521 <affects base="1.0.1" version="1.0.1k"/>
1522 <affects base="1.0.1" version="1.0.1l"/>
1523 <affects base="1.0.1" version="1.0.1m"/>
1524 <affects base="1.0.1" version="1.0.1n"/>
1525 <affects base="1.0.1" version="1.0.1o"/>
1526 <affects base="1.0.1" version="1.0.1p"/>
1527 <affects base="1.0.1" version="1.0.1q"/>
1528 <affects base="1.0.1" version="1.0.1r"/>
1529 <affects base="1.0.1" version="1.0.1s"/>
1530 <affects base="1.0.1" version="1.0.1t"/>
1531 <affects base="1.0.2" version="1.0.2"/>
1532 <affects base="1.0.2" version="1.0.2a"/>
1533 <affects base="1.0.2" version="1.0.2b"/>
1534 <affects base="1.0.2" version="1.0.2c"/>
1535 <affects base="1.0.2" version="1.0.2d"/>
1536 <affects base="1.0.2" version="1.0.2e"/>
1537 <affects base="1.0.2" version="1.0.2f"/>
1538 <affects base="1.0.2" version="1.0.2g"/>
1539 <affects base="1.0.2" version="1.0.2h"/>
1540 <fixed base="1.0.1" version="1.0.1u" date="20160922">
1541 <git hash="00a4c1421407b6ac796688871b0a49a179c694d9"/>
1543 <fixed base="1.0.2" version="1.0.2i" date="20160922">
1544 <git hash="26f2c5774f117aea588e8f31fad38bcf14e83bec"/>
1548 In a DTLS connection where handshake messages are delivered out-of-order those
1549 messages that OpenSSL is not yet ready to process will be buffered for later
1550 use. Under certain circumstances, a flaw in the logic means that those messages
1551 do not get removed from the buffer even though the handshake has been completed.
1552 An attacker could force up to approx. 15 messages to remain in the buffer when
1553 they are no longer required. These messages will be cleared when the DTLS
1554 connection is closed. The default maximum size for a message is 100k. Therefore
1555 the attacker could force an additional 1500k to be consumed per connection. By
1556 opening many simulataneous connections an attacker could cause a DoS attack
1557 through memory exhaustion.
1559 <advisory url="/news/secadv/20160922.txt"/>
1560 <reported source="Quan Luo" date="20160622"/>
1562 <issue public="20160819">
1563 <impact severity="Low"/>
1564 <cve name="2016-2181"/>
1565 <affects base="1.0.1" version="1.0.1"/>
1566 <affects base="1.0.1" version="1.0.1a"/>
1567 <affects base="1.0.1" version="1.0.1b"/>
1568 <affects base="1.0.1" version="1.0.1c"/>
1569 <affects base="1.0.1" version="1.0.1d"/>
1570 <affects base="1.0.1" version="1.0.1e"/>
1571 <affects base="1.0.1" version="1.0.1f"/>
1572 <affects base="1.0.1" version="1.0.1g"/>
1573 <affects base="1.0.1" version="1.0.1h"/>
1574 <affects base="1.0.1" version="1.0.1i"/>
1575 <affects base="1.0.1" version="1.0.1j"/>
1576 <affects base="1.0.1" version="1.0.1k"/>
1577 <affects base="1.0.1" version="1.0.1l"/>
1578 <affects base="1.0.1" version="1.0.1m"/>
1579 <affects base="1.0.1" version="1.0.1n"/>
1580 <affects base="1.0.1" version="1.0.1o"/>
1581 <affects base="1.0.1" version="1.0.1p"/>
1582 <affects base="1.0.1" version="1.0.1q"/>
1583 <affects base="1.0.1" version="1.0.1r"/>
1584 <affects base="1.0.1" version="1.0.1s"/>
1585 <affects base="1.0.1" version="1.0.1t"/>
1586 <affects base="1.0.2" version="1.0.2"/>
1587 <affects base="1.0.2" version="1.0.2a"/>
1588 <affects base="1.0.2" version="1.0.2b"/>
1589 <affects base="1.0.2" version="1.0.2c"/>
1590 <affects base="1.0.2" version="1.0.2d"/>
1591 <affects base="1.0.2" version="1.0.2e"/>
1592 <affects base="1.0.2" version="1.0.2f"/>
1593 <affects base="1.0.2" version="1.0.2g"/>
1594 <affects base="1.0.2" version="1.0.2h"/>
1595 <fixed base="1.0.1" version="1.0.1u" date="20160922">
1596 <git hash="b77ab018b79a00f789b0fb85596b446b08be4c9d"/>
1598 <fixed base="1.0.2" version="1.0.2i" date="20160922">
1599 <git hash="3884b47b7c255c2e94d9b387ee83c7e8bb981258"/>
1604 A flaw in the DTLS replay attack protection mechanism means that records that
1605 arrive for future epochs update the replay protection "window" before the MAC
1606 for the record has been validated. This could be exploited by an attacker by
1607 sending a record for the next epoch (which does not have to decrypt or have a
1608 valid MAC), with a very large sequence number. This means that all subsequent
1609 legitimate packets are dropped causing a denial of service for a specific
1612 <advisory url="/news/secadv/20160922.txt"/>
1613 <reported source="OCAP audit team" date="20151121"/>
1615 <issue public="20160921">
1616 <impact severity="Low"/>
1617 <cve name="2016-6306"/>
1618 <affects base="1.0.1" version="1.0.1"/>
1619 <affects base="1.0.1" version="1.0.1a"/>
1620 <affects base="1.0.1" version="1.0.1b"/>
1621 <affects base="1.0.1" version="1.0.1c"/>
1622 <affects base="1.0.1" version="1.0.1d"/>
1623 <affects base="1.0.1" version="1.0.1e"/>
1624 <affects base="1.0.1" version="1.0.1f"/>
1625 <affects base="1.0.1" version="1.0.1g"/>
1626 <affects base="1.0.1" version="1.0.1h"/>
1627 <affects base="1.0.1" version="1.0.1i"/>
1628 <affects base="1.0.1" version="1.0.1j"/>
1629 <affects base="1.0.1" version="1.0.1k"/>
1630 <affects base="1.0.1" version="1.0.1l"/>
1631 <affects base="1.0.1" version="1.0.1m"/>
1632 <affects base="1.0.1" version="1.0.1n"/>
1633 <affects base="1.0.1" version="1.0.1o"/>
1634 <affects base="1.0.1" version="1.0.1p"/>
1635 <affects base="1.0.1" version="1.0.1q"/>
1636 <affects base="1.0.1" version="1.0.1r"/>
1637 <affects base="1.0.1" version="1.0.1s"/>
1638 <affects base="1.0.1" version="1.0.1t"/>
1639 <affects base="1.0.2" version="1.0.2"/>
1640 <affects base="1.0.2" version="1.0.2a"/>
1641 <affects base="1.0.2" version="1.0.2b"/>
1642 <affects base="1.0.2" version="1.0.2c"/>
1643 <affects base="1.0.2" version="1.0.2d"/>
1644 <affects base="1.0.2" version="1.0.2e"/>
1645 <affects base="1.0.2" version="1.0.2f"/>
1646 <affects base="1.0.2" version="1.0.2g"/>
1647 <affects base="1.0.2" version="1.0.2h"/>
1648 <fixed base="1.0.1" version="1.0.1u" date="20160922">
1649 <git hash="bb1a4866034255749ac578adb06a76335fc117b1"/>
1651 <fixed base="1.0.2" version="1.0.2i" date="20160922">
1652 <git hash="006a788c84e541c8920dd2ad85fb62b52185c519"/>
1655 In OpenSSL 1.0.2 and earlier some missing message length checks can result in
1656 OOB reads of up to 2 bytes beyond an allocated buffer. There is a theoretical
1657 DoS risk but this has not been observed in practice on common platforms.
1659 The messages affected are client certificate, client certificate request and
1660 server certificate. As a result the attack can only be performed against
1661 a client or a server which enables client authentication.
1663 <advisory url="/news/secadv/20160922.txt"/>
1664 <reported source="Shi Lei (Gear Team, Qihoo 360 Inc.)" date="20160822"/>
1666 <issue public="20160921">
1667 <impact severity="Low"/>
1668 <cve name="2016-6307"/>
1669 <affects base="1.1.0" version="1.1.0"/>
1670 <fixed base="1.1.0" version="1.1.0a" date="20160922">
1671 <git hash="4b390b6c3f8df925dc92a3dd6b022baa9a2f4650"/>
1675 A TLS message includes 3 bytes for its length in the header for the message.
1676 This would allow for messages up to 16Mb in length. Messages of this length are
1677 excessive and OpenSSL includes a check to ensure that a peer is sending
1678 reasonably sized messages in order to avoid too much memory being consumed to
1679 service a connection. A flaw in the logic of version 1.1.0 means that memory for
1680 the message is allocated too early, prior to the excessive message length
1681 check. Due to way memory is allocated in OpenSSL this could mean an attacker
1682 could force up to 21Mb to be allocated to service a connection. This could lead
1683 to a Denial of Service through memory exhaustion. However, the excessive message
1684 length check still takes place, and this would cause the connection to
1685 immediately fail. Assuming that the application calls SSL_free() on the failed
1686 conneciton in a timely manner then the 21Mb of allocated memory will then be
1687 immediately freed again. Therefore the excessive memory allocation will be
1688 transitory in nature. This then means that there is only a security impact if:
1690 1) The application does not call SSL_free() in a timely manner in the
1691 event that the connection fails
1693 2) The application is working in a constrained environment where there
1694 is very little free memory
1696 3) The attacker initiates multiple connection attempts such that there
1697 are multiple connections in a state where memory has been allocated for
1698 the connection; SSL_free() has not yet been called; and there is
1699 insufficient memory to service the multiple requests.
1701 Except in the instance of (1) above any Denial Of Service is likely to
1702 be transitory because as soon as the connection fails the memory is
1703 subsequently freed again in the SSL_free() call. However there is an
1704 increased risk during this period of application crashes due to the lack
1705 of memory - which would then mean a more serious Denial of Service.
1707 <advisory url="/news/secadv/20160922.txt"/>
1708 <reported source="Shi Lei (Gear Team, Qihoo 360 Inc.)" date="20160818"/>
1710 <issue public="20160921">
1711 <impact severity="Low"/>
1712 <cve name="2016-6308"/>
1713 <affects base="1.1.0" version="1.1.0"/>
1714 <fixed base="1.1.0" version="1.1.0a" date="20160922">
1715 <git hash="df6b5e29ffea2d5a3e08de92fb765fdb21c7a21e"/>
1719 A DTLS message includes 3 bytes for its length in the header for the message.
1720 This would allow for messages up to 16Mb in length. Messages of this length are
1721 excessive and OpenSSL includes a check to ensure that a peer is sending
1722 reasonably sized messages in order to avoid too much memory being consumed to
1723 service a connection. A flaw in the logic of version 1.1.0 means that memory for
1724 the message is allocated too early, prior to the excessive message length
1725 check. Due to way memory is allocated in OpenSSL this could mean an attacker
1726 could force up to 21Mb to be allocated to service a connection. This could lead
1727 to a Denial of Service through memory exhaustion. However, the excessive message
1728 length check still takes place, and this would cause the connection to
1729 immediately fail. Assuming that the application calls SSL_free() on the failed
1730 conneciton in a timely manner then the 21Mb of allocated memory will then be
1731 immediately freed again. Therefore the excessive memory allocation will be
1732 transitory in nature. This then means that there is only a security impact if:
1734 1) The application does not call SSL_free() in a timely manner in the
1735 event that the connection fails
1737 2) The application is working in a constrained environment where there
1738 is very little free memory
1740 3) The attacker initiates multiple connection attempts such that there
1741 are multiple connections in a state where memory has been allocated for
1742 the connection; SSL_free() has not yet been called; and there is
1743 insufficient memory to service the multiple requests.
1745 Except in the instance of (1) above any Denial Of Service is likely to
1746 be transitory because as soon as the connection fails the memory is
1747 subsequently freed again in the SSL_free() call. However there is an
1748 increased risk during this period of application crashes due to the lack
1749 of memory - which would then mean a more serious Denial of Service.
1751 <advisory url="/news/secadv/20160922.txt"/>
1752 <reported source="Shi Lei (Gear Team, Qihoo 360 Inc.)" date="20160818"/>
1754 <issue public="20160503">
1755 <impact severity="High"/>
1756 <cve name="2016-2108"/>
1757 <affects base="1.0.1" version="1.0.1"/>
1758 <affects base="1.0.1" version="1.0.1a"/>
1759 <affects base="1.0.1" version="1.0.1b"/>
1760 <affects base="1.0.1" version="1.0.1c"/>
1761 <affects base="1.0.1" version="1.0.1d"/>
1762 <affects base="1.0.1" version="1.0.1e"/>
1763 <affects base="1.0.1" version="1.0.1f"/>
1764 <affects base="1.0.1" version="1.0.1g"/>
1765 <affects base="1.0.1" version="1.0.1h"/>
1766 <affects base="1.0.1" version="1.0.1i"/>
1767 <affects base="1.0.1" version="1.0.1j"/>
1768 <affects base="1.0.1" version="1.0.1k"/>
1769 <affects base="1.0.1" version="1.0.1l"/>
1770 <affects base="1.0.1" version="1.0.1m"/>
1771 <affects base="1.0.1" version="1.0.1n"/>
1772 <affects base="1.0.2" version="1.0.2"/>
1773 <affects base="1.0.2" version="1.0.2a"/>
1774 <affects base="1.0.2" version="1.0.2b"/>
1775 <fixed base="1.0.1" version="1.0.1o" date="20160612"/>
1776 <fixed base="1.0.2" version="1.0.2c" date="20160612"/>
1779 This issue affected versions of OpenSSL prior to April 2015. The bug
1780 causing the vulnerability was fixed on April 18th 2015, and released
1781 as part of the June 11th 2015 security releases. The security impact
1782 of the bug was not known at the time.
1784 In previous versions of OpenSSL, ASN.1 encoding the value zero
1785 represented as a negative integer can cause a buffer underflow
1786 with an out-of-bounds write in i2c_ASN1_INTEGER. The ASN.1 parser does
1787 not normally create "negative zeroes" when parsing ASN.1 input, and
1788 therefore, an attacker cannot trigger this bug.
1790 However, a second, independent bug revealed that the ASN.1 parser
1791 (specifically, d2i_ASN1_TYPE) can misinterpret a large universal tag
1792 as a negative zero value. Large universal tags are not present in any
1793 common ASN.1 structures (such as X509) but are accepted as part of ANY
1796 Therefore, if an application deserializes untrusted ASN.1 structures
1797 containing an ANY field, and later reserializes them, an attacker may
1798 be able to trigger an out-of-bounds write. This has been shown to
1799 cause memory corruption that is potentially exploitable with some
1800 malloc implementations.
1802 Applications that parse and re-encode X509 certificates are known to
1803 be vulnerable. Applications that verify RSA signatures on X509
1804 certificates may also be vulnerable; however, only certificates with
1805 valid signatures trigger ASN.1 re-encoding and hence the
1806 bug. Specifically, since OpenSSL's default TLS X509 chain verification
1807 code verifies the certificate chain from root to leaf, TLS handshakes
1808 could only be targeted with valid certificates issued by trusted
1809 Certification Authorities.
1811 <advisory url="/news/secadv/20160503.txt"/>
1812 <reported source="Huzaifa Sidhpurwala (Red Hat), Hanno Böck, David Benjamin (Google)" date="20160331"/>
1814 <issue public="20160503">
1815 <impact severity="High"/>
1816 <cve name="2016-2107"/>
1817 <affects base="1.0.1" version="1.0.1"/>
1818 <affects base="1.0.1" version="1.0.1a"/>
1819 <affects base="1.0.1" version="1.0.1b"/>
1820 <affects base="1.0.1" version="1.0.1c"/>
1821 <affects base="1.0.1" version="1.0.1d"/>
1822 <affects base="1.0.1" version="1.0.1e"/>
1823 <affects base="1.0.1" version="1.0.1f"/>
1824 <affects base="1.0.1" version="1.0.1g"/>
1825 <affects base="1.0.1" version="1.0.1h"/>
1826 <affects base="1.0.1" version="1.0.1i"/>
1827 <affects base="1.0.1" version="1.0.1j"/>
1828 <affects base="1.0.1" version="1.0.1k"/>
1829 <affects base="1.0.1" version="1.0.1l"/>
1830 <affects base="1.0.1" version="1.0.1m"/>
1831 <affects base="1.0.1" version="1.0.1n"/>
1832 <affects base="1.0.1" version="1.0.1o"/>
1833 <affects base="1.0.1" version="1.0.1p"/>
1834 <affects base="1.0.1" version="1.0.1q"/>
1835 <affects base="1.0.1" version="1.0.1r"/>
1836 <affects base="1.0.1" version="1.0.1s"/>
1837 <affects base="1.0.2" version="1.0.2"/>
1838 <affects base="1.0.2" version="1.0.2a"/>
1839 <affects base="1.0.2" version="1.0.2b"/>
1840 <affects base="1.0.2" version="1.0.2c"/>
1841 <affects base="1.0.2" version="1.0.2d"/>
1842 <affects base="1.0.2" version="1.0.2e"/>
1843 <affects base="1.0.2" version="1.0.2f"/>
1844 <affects base="1.0.2" version="1.0.2g"/>
1845 <fixed base="1.0.1" version="1.0.1t" date="20160503"/>
1846 <fixed base="1.0.2" version="1.0.2h" date="20160503">
1847 <git hash="68595c0c2886e7942a14f98c17a55a88afb6c292"/>
1851 A MITM attacker can use a padding oracle attack to decrypt traffic
1852 when the connection uses an AES CBC cipher and the server support
1855 This issue was introduced as part of the fix for Lucky 13 padding
1856 attack (CVE-2013-0169). The padding check was rewritten to be in
1857 constant time by making sure that always the same bytes are read and
1858 compared against either the MAC or padding bytes. But it no longer
1859 checked that there was enough data to have both the MAC and padding
1862 <advisory url="/news/secadv/20160503.txt"/>
1863 <reported source="Juraj Somorovsky" date="20160413"/>
1865 <issue public="20160503">
1866 <impact severity="Low"/>
1867 <cve name="2016-2105"/>
1868 <affects base="1.0.1" version="1.0.1"/>
1869 <affects base="1.0.1" version="1.0.1a"/>
1870 <affects base="1.0.1" version="1.0.1b"/>
1871 <affects base="1.0.1" version="1.0.1c"/>
1872 <affects base="1.0.1" version="1.0.1d"/>
1873 <affects base="1.0.1" version="1.0.1e"/>
1874 <affects base="1.0.1" version="1.0.1f"/>
1875 <affects base="1.0.1" version="1.0.1g"/>
1876 <affects base="1.0.1" version="1.0.1h"/>
1877 <affects base="1.0.1" version="1.0.1i"/>
1878 <affects base="1.0.1" version="1.0.1j"/>
1879 <affects base="1.0.1" version="1.0.1k"/>
1880 <affects base="1.0.1" version="1.0.1l"/>
1881 <affects base="1.0.1" version="1.0.1m"/>
1882 <affects base="1.0.1" version="1.0.1n"/>
1883 <affects base="1.0.1" version="1.0.1o"/>
1884 <affects base="1.0.1" version="1.0.1p"/>
1885 <affects base="1.0.1" version="1.0.1q"/>
1886 <affects base="1.0.1" version="1.0.1r"/>
1887 <affects base="1.0.1" version="1.0.1s"/>
1888 <affects base="1.0.2" version="1.0.2"/>
1889 <affects base="1.0.2" version="1.0.2a"/>
1890 <affects base="1.0.2" version="1.0.2b"/>
1891 <affects base="1.0.2" version="1.0.2c"/>
1892 <affects base="1.0.2" version="1.0.2d"/>
1893 <affects base="1.0.2" version="1.0.2e"/>
1894 <affects base="1.0.2" version="1.0.2f"/>
1895 <affects base="1.0.2" version="1.0.2g"/>
1896 <fixed base="1.0.1" version="1.0.1t" date="20160503"/>
1897 <fixed base="1.0.2" version="1.0.2h" date="20160503"/>
1900 An overflow can occur in the EVP_EncodeUpdate() function which is used for
1901 Base64 encoding of binary data. If an attacker is able to supply very
1902 large amounts of input data then a length check can overflow resulting in
1905 Internally to OpenSSL the EVP_EncodeUpdate() function is primarly used by the
1906 PEM_write_bio* family of functions. These are mainly used within the OpenSSL
1907 command line applications. These internal uses are not considered vulnerable
1908 because all calls are bounded with length checks so no overflow is possible.
1909 User applications that call these APIs directly with large amounts of untrusted
1910 data may be vulnerable. (Note: Initial analysis suggested that the
1911 PEM_write_bio* were vulnerable, and this is reflected in the patch commit
1912 message. This is no longer believed to be the case).
1914 <advisory url="/news/secadv/20160503.txt"/>
1915 <reported source="Guido Vranken" date="20160303"/>
1917 <issue public="20160503">
1918 <impact severity="Low"/>
1919 <cve name="2016-2106"/>
1920 <affects base="1.0.1" version="1.0.1"/>
1921 <affects base="1.0.1" version="1.0.1a"/>
1922 <affects base="1.0.1" version="1.0.1b"/>
1923 <affects base="1.0.1" version="1.0.1c"/>
1924 <affects base="1.0.1" version="1.0.1d"/>
1925 <affects base="1.0.1" version="1.0.1e"/>
1926 <affects base="1.0.1" version="1.0.1f"/>
1927 <affects base="1.0.1" version="1.0.1g"/>
1928 <affects base="1.0.1" version="1.0.1h"/>
1929 <affects base="1.0.1" version="1.0.1i"/>
1930 <affects base="1.0.1" version="1.0.1j"/>
1931 <affects base="1.0.1" version="1.0.1k"/>
1932 <affects base="1.0.1" version="1.0.1l"/>
1933 <affects base="1.0.1" version="1.0.1m"/>
1934 <affects base="1.0.1" version="1.0.1n"/>
1935 <affects base="1.0.1" version="1.0.1o"/>
1936 <affects base="1.0.1" version="1.0.1p"/>
1937 <affects base="1.0.1" version="1.0.1q"/>
1938 <affects base="1.0.1" version="1.0.1r"/>
1939 <affects base="1.0.1" version="1.0.1s"/>
1940 <affects base="1.0.2" version="1.0.2"/>
1941 <affects base="1.0.2" version="1.0.2a"/>
1942 <affects base="1.0.2" version="1.0.2b"/>
1943 <affects base="1.0.2" version="1.0.2c"/>
1944 <affects base="1.0.2" version="1.0.2d"/>
1945 <affects base="1.0.2" version="1.0.2e"/>
1946 <affects base="1.0.2" version="1.0.2f"/>
1947 <affects base="1.0.2" version="1.0.2g"/>
1948 <fixed base="1.0.1" version="1.0.1t" date="20160503"/>
1949 <fixed base="1.0.2" version="1.0.2h" date="20160503"/>
1952 An overflow can occur in the EVP_EncryptUpdate() function. If an attacker
1953 is able to supply very large amounts of input data after a previous call
1954 to EVP_EncryptUpdate() with a partial block then a length check can
1955 overflow resulting in a heap corruption. Following an analysis of all
1956 OpenSSL internal usage of the EVP_EncryptUpdate() function all usage is
1957 one of two forms. The first form is where the EVP_EncryptUpdate() call is
1958 known to be the first called function after an EVP_EncryptInit(), and
1959 therefore that specific call must be safe. The second form is where the
1960 length passed to EVP_EncryptUpdate() can be seen from the code to be some
1961 small value and therefore there is no possibility of an overflow. Since
1962 all instances are one of these two forms, it is believed that there can be
1963 no overflows in internal code due to this problem. It should be noted that
1964 EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths.
1965 Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All
1966 instances of these calls have also been analysed too and it is believed
1967 there are no instances in internal usage where an overflow could occur.
1969 This could still represent a security issue for end user code that calls
1970 this function directly.
1972 <advisory url="/news/secadv/20160503.txt"/>
1973 <reported source="Guido Vranken" date="20160303"/>
1975 <issue public="20160503">
1976 <impact severity="Low"/>
1977 <cve name="2016-2109"/>
1978 <affects base="1.0.1" version="1.0.1"/>
1979 <affects base="1.0.1" version="1.0.1a"/>
1980 <affects base="1.0.1" version="1.0.1b"/>
1981 <affects base="1.0.1" version="1.0.1c"/>
1982 <affects base="1.0.1" version="1.0.1d"/>
1983 <affects base="1.0.1" version="1.0.1e"/>
1984 <affects base="1.0.1" version="1.0.1f"/>
1985 <affects base="1.0.1" version="1.0.1g"/>
1986 <affects base="1.0.1" version="1.0.1h"/>
1987 <affects base="1.0.1" version="1.0.1i"/>
1988 <affects base="1.0.1" version="1.0.1j"/>
1989 <affects base="1.0.1" version="1.0.1k"/>
1990 <affects base="1.0.1" version="1.0.1l"/>
1991 <affects base="1.0.1" version="1.0.1m"/>
1992 <affects base="1.0.1" version="1.0.1n"/>
1993 <affects base="1.0.1" version="1.0.1o"/>
1994 <affects base="1.0.1" version="1.0.1p"/>
1995 <affects base="1.0.1" version="1.0.1q"/>
1996 <affects base="1.0.1" version="1.0.1r"/>
1997 <affects base="1.0.1" version="1.0.1s"/>
1998 <affects base="1.0.2" version="1.0.2"/>
1999 <affects base="1.0.2" version="1.0.2a"/>
2000 <affects base="1.0.2" version="1.0.2b"/>
2001 <affects base="1.0.2" version="1.0.2c"/>
2002 <affects base="1.0.2" version="1.0.2d"/>
2003 <affects base="1.0.2" version="1.0.2e"/>
2004 <affects base="1.0.2" version="1.0.2f"/>
2005 <affects base="1.0.2" version="1.0.2g"/>
2006 <fixed base="1.0.1" version="1.0.1t" date="20160503"/>
2007 <fixed base="1.0.2" version="1.0.2h" date="20160503"/>
2010 When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
2011 a short invalid encoding can casuse allocation of large amounts of memory
2012 potentially consuming excessive resources or exhausting memory.
2014 Any application parsing untrusted data through d2i BIO functions is
2015 affected. The memory based functions such as d2i_X509() are *not*
2016 affected. Since the memory based functions are used by the TLS library,
2017 TLS applications are not affected.
2019 <advisory url="/news/secadv/20160503.txt"/>
2020 <reported source="Brian Carpenter" date="20160404"/>
2022 <issue public="20160503">
2023 <impact severity="Low"/>
2024 <cve name="2016-2176"/>
2025 <affects base="1.0.1" version="1.0.1"/>
2026 <affects base="1.0.1" version="1.0.1a"/>
2027 <affects base="1.0.1" version="1.0.1b"/>
2028 <affects base="1.0.1" version="1.0.1c"/>
2029 <affects base="1.0.1" version="1.0.1d"/>
2030 <affects base="1.0.1" version="1.0.1e"/>
2031 <affects base="1.0.1" version="1.0.1f"/>
2032 <affects base="1.0.1" version="1.0.1g"/>
2033 <affects base="1.0.1" version="1.0.1h"/>
2034 <affects base="1.0.1" version="1.0.1i"/>
2035 <affects base="1.0.1" version="1.0.1j"/>
2036 <affects base="1.0.1" version="1.0.1k"/>
2037 <affects base="1.0.1" version="1.0.1l"/>
2038 <affects base="1.0.1" version="1.0.1m"/>
2039 <affects base="1.0.1" version="1.0.1n"/>
2040 <affects base="1.0.1" version="1.0.1o"/>
2041 <affects base="1.0.1" version="1.0.1p"/>
2042 <affects base="1.0.1" version="1.0.1q"/>
2043 <affects base="1.0.1" version="1.0.1r"/>
2044 <affects base="1.0.1" version="1.0.1s"/>
2045 <affects base="1.0.2" version="1.0.2"/>
2046 <affects base="1.0.2" version="1.0.2a"/>
2047 <affects base="1.0.2" version="1.0.2b"/>
2048 <affects base="1.0.2" version="1.0.2c"/>
2049 <affects base="1.0.2" version="1.0.2d"/>
2050 <affects base="1.0.2" version="1.0.2e"/>
2051 <affects base="1.0.2" version="1.0.2f"/>
2052 <affects base="1.0.2" version="1.0.2g"/>
2053 <fixed base="1.0.1" version="1.0.1t" date="20160503"/>
2054 <fixed base="1.0.2" version="1.0.2h" date="20160503"/>
2057 ASN1 Strings that are over 1024 bytes can cause an overread in
2058 applications using the X509_NAME_oneline() function on EBCDIC systems.
2059 This could result in arbitrary stack data being returned in the buffer.
2061 <advisory url="/news/secadv/20160503.txt"/>
2062 <reported source="Guido Vranken" date="20160305"/>
2064 <issue public="20160301">
2065 <impact severity="High"/>
2066 <cve name="2016-0800"/>
2067 <affects base="1.0.1" version="1.0.1"/>
2068 <affects base="1.0.1" version="1.0.1a"/>
2069 <affects base="1.0.1" version="1.0.1b"/>
2070 <affects base="1.0.1" version="1.0.1c"/>
2071 <affects base="1.0.1" version="1.0.1d"/>
2072 <affects base="1.0.1" version="1.0.1e"/>
2073 <affects base="1.0.1" version="1.0.1f"/>
2074 <affects base="1.0.1" version="1.0.1g"/>
2075 <affects base="1.0.1" version="1.0.1h"/>
2076 <affects base="1.0.1" version="1.0.1i"/>
2077 <affects base="1.0.1" version="1.0.1j"/>
2078 <affects base="1.0.1" version="1.0.1k"/>
2079 <affects base="1.0.1" version="1.0.1l"/>
2080 <affects base="1.0.1" version="1.0.1m"/>
2081 <affects base="1.0.1" version="1.0.1n"/>
2082 <affects base="1.0.1" version="1.0.1o"/>
2083 <affects base="1.0.1" version="1.0.1p"/>
2084 <affects base="1.0.1" version="1.0.1q"/>
2085 <affects base="1.0.1" version="1.0.1r"/>
2086 <affects base="1.0.2" version="1.0.2"/>
2087 <affects base="1.0.2" version="1.0.2a"/>
2088 <affects base="1.0.2" version="1.0.2b"/>
2089 <affects base="1.0.2" version="1.0.2c"/>
2090 <affects base="1.0.2" version="1.0.2d"/>
2091 <affects base="1.0.2" version="1.0.2e"/>
2092 <affects base="1.0.2" version="1.0.2f"/>
2093 <fixed base="1.0.1" version="1.0.1s" date="20160301"/>
2094 <fixed base="1.0.2" version="1.0.2g" date="20160301"/>
2097 A cross-protocol attack was discovered that could lead to decryption of TLS
2098 sessions by using a server supporting SSLv2 and EXPORT cipher suites as a
2099 Bleichenbacher RSA padding oracle. Note that traffic between clients and
2100 non-vulnerable servers can be decrypted provided another server supporting
2101 SSLv2 and EXPORT ciphers (even with a different protocol such as SMTP, IMAP or
2102 POP) shares the RSA keys of the non-vulnerable server. This vulnerability is
2103 known as DROWN (CVE-2016-0800).
2105 Recovering one session key requires the attacker to perform approximately 2^50
2106 computation, as well as thousands of connections to the affected server. A more
2107 efficient variant of the DROWN attack exists against unpatched OpenSSL servers
2108 using versions that predate 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf released on
2109 19/Mar/2015 (see CVE-2016-0703 below).
2111 Users can avoid this issue by disabling the SSLv2 protocol in all their SSL/TLS
2112 servers, if they've not done so already. Disabling all SSLv2 ciphers is also
2113 sufficient, provided the patches for CVE-2015-3197 (fixed in OpenSSL 1.0.1r and
2114 1.0.2f) have been deployed. Servers that have not disabled the SSLv2 protocol,
2115 and are not patched for CVE-2015-3197 are vulnerable to DROWN even if all SSLv2
2116 ciphers are nominally disabled, because malicious clients can force the use of
2117 SSLv2 with EXPORT ciphers.
2119 OpenSSL 1.0.2g and 1.0.1s deploy the following mitigation against DROWN:
2121 SSLv2 is now by default disabled at build-time. Builds that are not configured
2122 with "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used,
2123 users who want to negotiate SSLv2 via the version-flexible SSLv23_method() will
2124 need to explicitly call either of:
2126 SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
2128 SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
2130 as appropriate. Even if either of those is used, or the application explicitly
2131 uses the version-specific SSLv2_method() or its client or server variants,
2132 SSLv2 ciphers vulnerable to exhaustive search key recovery have been removed.
2133 Specifically, the SSLv2 40-bit EXPORT ciphers, and SSLv2 56-bit DES are no
2136 In addition, weak ciphers in SSLv3 and up are now disabled in default builds of
2137 OpenSSL. Builds that are not configured with "enable-weak-ssl-ciphers" will
2138 not provide any "EXPORT" or "LOW" strength ciphers.
2140 <advisory url="/news/secadv/20160301.txt"/>
2141 <reported source="Nimrod Aviram and Sebastian Schinzel" date="20151229"/>
2143 <issue public="20160301">
2144 <impact severity="Low"/>
2145 <cve name="2016-0705"/>
2146 <affects base="1.0.1" version="1.0.1"/>
2147 <affects base="1.0.1" version="1.0.1a"/>
2148 <affects base="1.0.1" version="1.0.1b"/>
2149 <affects base="1.0.1" version="1.0.1c"/>
2150 <affects base="1.0.1" version="1.0.1d"/>
2151 <affects base="1.0.1" version="1.0.1e"/>
2152 <affects base="1.0.1" version="1.0.1f"/>
2153 <affects base="1.0.1" version="1.0.1g"/>
2154 <affects base="1.0.1" version="1.0.1h"/>
2155 <affects base="1.0.1" version="1.0.1i"/>
2156 <affects base="1.0.1" version="1.0.1j"/>
2157 <affects base="1.0.1" version="1.0.1k"/>
2158 <affects base="1.0.1" version="1.0.1l"/>
2159 <affects base="1.0.1" version="1.0.1m"/>
2160 <affects base="1.0.1" version="1.0.1n"/>
2161 <affects base="1.0.1" version="1.0.1o"/>
2162 <affects base="1.0.1" version="1.0.1p"/>
2163 <affects base="1.0.1" version="1.0.1q"/>
2164 <affects base="1.0.1" version="1.0.1r"/>
2165 <affects base="1.0.2" version="1.0.2"/>
2166 <affects base="1.0.2" version="1.0.2a"/>
2167 <affects base="1.0.2" version="1.0.2b"/>
2168 <affects base="1.0.2" version="1.0.2c"/>
2169 <affects base="1.0.2" version="1.0.2d"/>
2170 <affects base="1.0.2" version="1.0.2e"/>
2171 <affects base="1.0.2" version="1.0.2f"/>
2172 <fixed base="1.0.1" version="1.0.1s" date="20160301"/>
2173 <fixed base="1.0.2" version="1.0.2g" date="20160301"/>
2176 A double free bug was discovered when OpenSSL parses malformed DSA private keys
2177 and could lead to a DoS attack or memory corruption for applications that
2178 receive DSA private keys from untrusted sources. This scenario is considered
2181 <advisory url="/news/secadv/20160301.txt"/>
2182 <reported source="Adam Langley (Google/BoringSSL)" date="20160207"/>
2184 <issue public="20160301">
2185 <impact severity="Low"/>
2186 <cve name="2016-0798"/>
2187 <affects base="1.0.1" version="1.0.1"/>
2188 <affects base="1.0.1" version="1.0.1a"/>
2189 <affects base="1.0.1" version="1.0.1b"/>
2190 <affects base="1.0.1" version="1.0.1c"/>
2191 <affects base="1.0.1" version="1.0.1d"/>
2192 <affects base="1.0.1" version="1.0.1e"/>
2193 <affects base="1.0.1" version="1.0.1f"/>
2194 <affects base="1.0.1" version="1.0.1g"/>
2195 <affects base="1.0.1" version="1.0.1h"/>
2196 <affects base="1.0.1" version="1.0.1i"/>
2197 <affects base="1.0.1" version="1.0.1j"/>
2198 <affects base="1.0.1" version="1.0.1k"/>
2199 <affects base="1.0.1" version="1.0.1l"/>
2200 <affects base="1.0.1" version="1.0.1m"/>
2201 <affects base="1.0.1" version="1.0.1n"/>
2202 <affects base="1.0.1" version="1.0.1o"/>
2203 <affects base="1.0.1" version="1.0.1p"/>
2204 <affects base="1.0.1" version="1.0.1q"/>
2205 <affects base="1.0.1" version="1.0.1r"/>
2206 <affects base="1.0.2" version="1.0.2"/>
2207 <affects base="1.0.2" version="1.0.2a"/>
2208 <affects base="1.0.2" version="1.0.2b"/>
2209 <affects base="1.0.2" version="1.0.2c"/>
2210 <affects base="1.0.2" version="1.0.2d"/>
2211 <affects base="1.0.2" version="1.0.2e"/>
2212 <affects base="1.0.2" version="1.0.2f"/>
2213 <fixed base="1.0.1" version="1.0.1s" date="20160301"/>
2214 <fixed base="1.0.2" version="1.0.2g" date="20160301"/>
2217 The SRP user database lookup method SRP_VBASE_get_by_user had
2218 confusing memory management semantics; the returned pointer was sometimes newly
2219 allocated, and sometimes owned by the callee. The calling code has no way of
2220 distinguishing these two cases.
2222 Specifically, SRP servers that configure a secret seed to hide valid
2223 login information are vulnerable to a memory leak: an attacker
2224 connecting with an invalid username can cause a memory leak of around
2225 300 bytes per connection. Servers that do not configure SRP, or
2226 configure SRP but do not configure a seed are not vulnerable.
2228 In Apache, the seed directive is known as SSLSRPUnknownUserSeed.
2230 To mitigate the memory leak, the seed handling in
2231 SRP_VBASE_get_by_user is now disabled even if the user has configured
2232 a seed. Applications are advised to migrate to
2233 SRP_VBASE_get1_by_user. However, note that OpenSSL makes no strong
2234 guarantees about the indistinguishability of valid and invalid
2235 logins. In particular, computations are currently not carried out in
2238 <advisory url="/news/secadv/20160301.txt"/>
2239 <reported source="Emilia Käsper (OpenSSL)" date="20160223"/>
2241 <issue public="20160301">
2242 <impact severity="Low"/>
2243 <cve name="2016-0797"/>
2244 <affects base="1.0.1" version="1.0.1"/>
2245 <affects base="1.0.1" version="1.0.1a"/>
2246 <affects base="1.0.1" version="1.0.1b"/>
2247 <affects base="1.0.1" version="1.0.1c"/>
2248 <affects base="1.0.1" version="1.0.1d"/>
2249 <affects base="1.0.1" version="1.0.1e"/>
2250 <affects base="1.0.1" version="1.0.1f"/>
2251 <affects base="1.0.1" version="1.0.1g"/>
2252 <affects base="1.0.1" version="1.0.1h"/>
2253 <affects base="1.0.1" version="1.0.1i"/>
2254 <affects base="1.0.1" version="1.0.1j"/>
2255 <affects base="1.0.1" version="1.0.1k"/>
2256 <affects base="1.0.1" version="1.0.1l"/>
2257 <affects base="1.0.1" version="1.0.1m"/>
2258 <affects base="1.0.1" version="1.0.1n"/>
2259 <affects base="1.0.1" version="1.0.1o"/>
2260 <affects base="1.0.1" version="1.0.1p"/>
2261 <affects base="1.0.1" version="1.0.1q"/>
2262 <affects base="1.0.1" version="1.0.1r"/>
2263 <affects base="1.0.2" version="1.0.2"/>
2264 <affects base="1.0.2" version="1.0.2a"/>
2265 <affects base="1.0.2" version="1.0.2b"/>
2266 <affects base="1.0.2" version="1.0.2c"/>
2267 <affects base="1.0.2" version="1.0.2d"/>
2268 <affects base="1.0.2" version="1.0.2e"/>
2269 <affects base="1.0.2" version="1.0.2f"/>
2270 <fixed base="1.0.1" version="1.0.1s" date="20160301"/>
2271 <fixed base="1.0.2" version="1.0.2g" date="20160301"/>
2274 In the BN_hex2bn function the number of hex digits is calculated using an int
2275 value |i|. Later |bn_expand| is called with a value of |i * 4|. For large values
2276 of |i| this can result in |bn_expand| not allocating any memory because |i * 4|
2277 is negative. This can leave the internal BIGNUM data field as NULL leading to a
2278 subsequent NULL ptr deref. For very large values of |i|, the calculation |i * 4|
2279 could be a positive value smaller than |i|. In this case memory is allocated to
2280 the internal BIGNUM data field, but it is insufficiently sized leading to heap
2281 corruption. A similar issue exists in BN_dec2bn. This could have security
2282 consequences if BN_hex2bn/BN_dec2bn is ever called by user applications with
2283 very large untrusted hex/dec data. This is anticipated to be a rare occurrence.
2285 All OpenSSL internal usage of these functions use data that is not expected to
2286 be untrusted, e.g. config file data or application command line arguments. If
2287 user developed applications generate config file data based on untrusted data
2288 then it is possible that this could also lead to security consequences. This is
2289 also anticipated to be rare.
2291 <advisory url="/news/secadv/20160301.txt"/>
2292 <reported source="Guido Vranken" date="20160219"/>
2294 <issue public="20160301">
2295 <impact severity="Low"/>
2296 <cve name="2016-0799"/>
2297 <affects base="1.0.1" version="1.0.1"/>
2298 <affects base="1.0.1" version="1.0.1a"/>
2299 <affects base="1.0.1" version="1.0.1b"/>
2300 <affects base="1.0.1" version="1.0.1c"/>
2301 <affects base="1.0.1" version="1.0.1d"/>
2302 <affects base="1.0.1" version="1.0.1e"/>
2303 <affects base="1.0.1" version="1.0.1f"/>
2304 <affects base="1.0.1" version="1.0.1g"/>
2305 <affects base="1.0.1" version="1.0.1h"/>
2306 <affects base="1.0.1" version="1.0.1i"/>
2307 <affects base="1.0.1" version="1.0.1j"/>
2308 <affects base="1.0.1" version="1.0.1k"/>
2309 <affects base="1.0.1" version="1.0.1l"/>
2310 <affects base="1.0.1" version="1.0.1m"/>
2311 <affects base="1.0.1" version="1.0.1n"/>
2312 <affects base="1.0.1" version="1.0.1o"/>
2313 <affects base="1.0.1" version="1.0.1p"/>
2314 <affects base="1.0.1" version="1.0.1q"/>
2315 <affects base="1.0.1" version="1.0.1r"/>
2316 <affects base="1.0.2" version="1.0.2"/>
2317 <affects base="1.0.2" version="1.0.2a"/>
2318 <affects base="1.0.2" version="1.0.2b"/>
2319 <affects base="1.0.2" version="1.0.2c"/>
2320 <affects base="1.0.2" version="1.0.2d"/>
2321 <affects base="1.0.2" version="1.0.2e"/>
2322 <affects base="1.0.2" version="1.0.2f"/>
2323 <fixed base="1.0.1" version="1.0.1s" date="20160301"/>
2324 <fixed base="1.0.2" version="1.0.2g" date="20160301"/>
2327 The internal |fmtstr| function used in processing a "%s" format string in the
2328 BIO_*printf functions could overflow while calculating the length of a string
2329 and cause an OOB read when printing very long strings.
2331 Additionally the internal |doapr_outch| function can attempt to write to an OOB
2332 memory location (at an offset from the NULL pointer) in the event of a memory
2333 allocation failure. In 1.0.2 and below this could be caused where the size of a
2334 buffer to be allocated is greater than INT_MAX. E.g. this could be in processing
2335 a very long "%s" format string. Memory leaks can also occur.
2337 The first issue may mask the second issue dependent on compiler behaviour.
2338 These problems could enable attacks where large amounts of untrusted data is
2339 passed to the BIO_*printf functions. If applications use these functions in this
2340 way then they could be vulnerable. OpenSSL itself uses these functions when
2341 printing out human-readable dumps of ASN.1 data. Therefore applications that
2342 print this data could be vulnerable if the data is from untrusted sources.
2343 OpenSSL command line applications could also be vulnerable where they print out
2344 ASN.1 data, or if untrusted data is passed as command line arguments.
2346 Libssl is not considered directly vulnerable. Additionally certificates etc
2347 received via remote connections via libssl are also unlikely to be able to
2348 trigger these issues because of message size limits enforced within libssl.
2350 <advisory url="/news/secadv/20160301.txt"/>
2351 <reported source="Guido Vranken" date="20160223"/>
2353 <issue public="20160301">
2354 <impact severity="Low"/>
2355 <cve name="2016-0702"/>
2356 <affects base="1.0.1" version="1.0.1"/>
2357 <affects base="1.0.1" version="1.0.1a"/>
2358 <affects base="1.0.1" version="1.0.1b"/>
2359 <affects base="1.0.1" version="1.0.1c"/>
2360 <affects base="1.0.1" version="1.0.1d"/>
2361 <affects base="1.0.1" version="1.0.1e"/>
2362 <affects base="1.0.1" version="1.0.1f"/>
2363 <affects base="1.0.1" version="1.0.1g"/>
2364 <affects base="1.0.1" version="1.0.1h"/>
2365 <affects base="1.0.1" version="1.0.1i"/>
2366 <affects base="1.0.1" version="1.0.1j"/>
2367 <affects base="1.0.1" version="1.0.1k"/>
2368 <affects base="1.0.1" version="1.0.1l"/>
2369 <affects base="1.0.1" version="1.0.1m"/>
2370 <affects base="1.0.1" version="1.0.1n"/>
2371 <affects base="1.0.1" version="1.0.1o"/>
2372 <affects base="1.0.1" version="1.0.1p"/>
2373 <affects base="1.0.1" version="1.0.1q"/>
2374 <affects base="1.0.1" version="1.0.1r"/>
2375 <affects base="1.0.2" version="1.0.2"/>
2376 <affects base="1.0.2" version="1.0.2a"/>
2377 <affects base="1.0.2" version="1.0.2b"/>
2378 <affects base="1.0.2" version="1.0.2c"/>
2379 <affects base="1.0.2" version="1.0.2d"/>
2380 <affects base="1.0.2" version="1.0.2e"/>
2381 <affects base="1.0.2" version="1.0.2f"/>
2382 <fixed base="1.0.1" version="1.0.1s" date="20160301"/>
2383 <fixed base="1.0.2" version="1.0.2g" date="20160301"/>
2386 A side-channel attack was found which makes use of cache-bank conflicts on the
2387 Intel Sandy-Bridge microarchitecture which could lead to the recovery of RSA
2388 keys. The ability to exploit this issue is limited as it relies on an attacker
2389 who has control of code in a thread running on the same hyper-threaded core as
2390 the victim thread which is performing decryptions.
2392 <advisory url="/news/secadv/20160301.txt"/>
2393 <reported source="Yuval Yarom, The University of Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and Nadia Heninger, University of Pennsylvania" date="20160108"/>
2395 <issue public="20160301">
2396 <impact severity="High"/>
2397 <cve name="2016-0703"/>
2399 <affects base="0.9.8" version="0.9.8"/>
2400 <affects base="0.9.8" version="0.9.8a"/>
2401 <affects base="0.9.8" version="0.9.8b"/>
2402 <affects base="0.9.8" version="0.9.8c"/>
2403 <affects base="0.9.8" version="0.9.8d"/>
2404 <affects base="0.9.8" version="0.9.8e"/>
2405 <affects base="0.9.8" version="0.9.8f"/>
2406 <affects base="0.9.8" version="0.9.8g"/>
2407 <affects base="0.9.8" version="0.9.8h"/>
2408 <affects base="0.9.8" version="0.9.8i"/>
2409 <affects base="0.9.8" version="0.9.8j"/>
2410 <affects base="0.9.8" version="0.9.8k"/>
2411 <affects base="0.9.8" version="0.9.8l"/>
2412 <affects base="0.9.8" version="0.9.8m"/>
2413 <affects base="0.9.8" version="0.9.8n"/>
2414 <affects base="0.9.8" version="0.9.8o"/>
2415 <affects base="0.9.8" version="0.9.8p"/>
2416 <affects base="0.9.8" version="0.9.8q"/>
2417 <affects base="0.9.8" version="0.9.8r"/>
2418 <affects base="0.9.8" version="0.9.8s"/>
2419 <affects base="0.9.8" version="0.9.8t"/>
2420 <affects base="0.9.8" version="0.9.8u"/>
2421 <affects base="0.9.8" version="0.9.8v"/>
2422 <affects base="0.9.8" version="0.9.8w"/>
2423 <affects base="0.9.8" version="0.9.8x"/>
2424 <affects base="0.9.8" version="0.9.8y"/>
2425 <affects base="0.9.8" version="0.9.8za"/>
2426 <affects base="0.9.8" version="0.9.8zb"/>
2427 <affects base="0.9.8" version="0.9.8zc"/>
2428 <affects base="0.9.8" version="0.9.8zd"/>
2429 <affects base="0.9.8" version="0.9.8ze"/>
2430 <affects base="1.0.0" version="1.0.0"/>
2431 <affects base="1.0.0" version="1.0.0a"/>
2432 <affects base="1.0.0" version="1.0.0b"/>
2433 <affects base="1.0.0" version="1.0.0c"/>
2434 <affects base="1.0.0" version="1.0.0d"/>
2435 <affects base="1.0.0" version="1.0.0e"/>
2436 <affects base="1.0.0" version="1.0.0f"/>
2437 <affects base="1.0.0" version="1.0.0g"/>
2438 <affects base="1.0.0" version="1.0.0i"/>
2439 <affects base="1.0.0" version="1.0.0j"/>
2440 <affects base="1.0.0" version="1.0.0k"/>
2441 <affects base="1.0.0" version="1.0.0l"/>
2442 <affects base="1.0.0" version="1.0.0m"/>
2443 <affects base="1.0.0" version="1.0.0n"/>
2444 <affects base="1.0.0" version="1.0.0o"/>
2445 <affects base="1.0.0" version="1.0.0p"/>
2446 <affects base="1.0.0" version="1.0.0q"/>
2447 <affects base="1.0.1" version="1.0.1"/>
2448 <affects base="1.0.1" version="1.0.1a"/>
2449 <affects base="1.0.1" version="1.0.1b"/>
2450 <affects base="1.0.1" version="1.0.1c"/>
2451 <affects base="1.0.1" version="1.0.1d"/>
2452 <affects base="1.0.1" version="1.0.1e"/>
2453 <affects base="1.0.1" version="1.0.1f"/>
2454 <affects base="1.0.1" version="1.0.1g"/>
2455 <affects base="1.0.1" version="1.0.1h"/>
2456 <affects base="1.0.1" version="1.0.1i"/>
2457 <affects base="1.0.1" version="1.0.1j"/>
2458 <affects base="1.0.1" version="1.0.1k"/>
2459 <affects base="1.0.1" version="1.0.1l"/>
2460 <affects base="1.0.2" version="1.0.2"/>
2461 <fixed base="0.9.8" version="0.9.8zf" date="20150319"/>
2462 <fixed base="1.0.0" version="1.0.0r" date="20150319"/>
2463 <fixed base="1.0.1" version="1.0.1m" date="20150319"/>
2464 <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
2467 This issue only affected versions of OpenSSL prior to March 19th 2015 at which
2468 time the code was refactored to address vulnerability CVE-2015-0293.
2470 s2_srvr.c did not enforce that clear-key-length is 0 for non-export ciphers. If
2471 clear-key bytes are present for these ciphers, they *displace* encrypted-key
2472 bytes. This leads to an efficient divide-and-conquer key recovery attack: if an
2473 eavesdropper has intercepted an SSLv2 handshake, they can use the server as an
2474 oracle to determine the SSLv2 master-key, using only 16 connections to the
2475 server and negligible computation.
2477 More importantly, this leads to a more efficient version of DROWN that is
2478 effective against non-export ciphersuites, and requires no significant
2481 <advisory url="/news/secadv/20160301.txt"/>
2482 <reported source="David Adrian and J.Alex Halderman (University of Michigan)" date="20160210"/>
2484 <issue public="20160301">
2485 <impact severity="Moderate"/>
2486 <cve name="2016-0704"/>
2488 <affects base="0.9.8" version="0.9.8"/>
2489 <affects base="0.9.8" version="0.9.8a"/>
2490 <affects base="0.9.8" version="0.9.8b"/>
2491 <affects base="0.9.8" version="0.9.8c"/>
2492 <affects base="0.9.8" version="0.9.8d"/>
2493 <affects base="0.9.8" version="0.9.8e"/>
2494 <affects base="0.9.8" version="0.9.8f"/>
2495 <affects base="0.9.8" version="0.9.8g"/>
2496 <affects base="0.9.8" version="0.9.8h"/>
2497 <affects base="0.9.8" version="0.9.8i"/>
2498 <affects base="0.9.8" version="0.9.8j"/>
2499 <affects base="0.9.8" version="0.9.8k"/>
2500 <affects base="0.9.8" version="0.9.8l"/>
2501 <affects base="0.9.8" version="0.9.8m"/>
2502 <affects base="0.9.8" version="0.9.8n"/>
2503 <affects base="0.9.8" version="0.9.8o"/>
2504 <affects base="0.9.8" version="0.9.8p"/>
2505 <affects base="0.9.8" version="0.9.8q"/>
2506 <affects base="0.9.8" version="0.9.8r"/>
2507 <affects base="0.9.8" version="0.9.8s"/>
2508 <affects base="0.9.8" version="0.9.8t"/>
2509 <affects base="0.9.8" version="0.9.8u"/>
2510 <affects base="0.9.8" version="0.9.8v"/>
2511 <affects base="0.9.8" version="0.9.8w"/>
2512 <affects base="0.9.8" version="0.9.8x"/>
2513 <affects base="0.9.8" version="0.9.8y"/>
2514 <affects base="0.9.8" version="0.9.8za"/>
2515 <affects base="0.9.8" version="0.9.8zb"/>
2516 <affects base="0.9.8" version="0.9.8zc"/>
2517 <affects base="0.9.8" version="0.9.8zd"/>
2518 <affects base="0.9.8" version="0.9.8ze"/>
2519 <affects base="1.0.0" version="1.0.0"/>
2520 <affects base="1.0.0" version="1.0.0a"/>
2521 <affects base="1.0.0" version="1.0.0b"/>
2522 <affects base="1.0.0" version="1.0.0c"/>
2523 <affects base="1.0.0" version="1.0.0d"/>
2524 <affects base="1.0.0" version="1.0.0e"/>
2525 <affects base="1.0.0" version="1.0.0f"/>
2526 <affects base="1.0.0" version="1.0.0g"/>
2527 <affects base="1.0.0" version="1.0.0i"/>
2528 <affects base="1.0.0" version="1.0.0j"/>
2529 <affects base="1.0.0" version="1.0.0k"/>
2530 <affects base="1.0.0" version="1.0.0l"/>
2531 <affects base="1.0.0" version="1.0.0m"/>
2532 <affects base="1.0.0" version="1.0.0n"/>
2533 <affects base="1.0.0" version="1.0.0o"/>
2534 <affects base="1.0.0" version="1.0.0p"/>
2535 <affects base="1.0.0" version="1.0.0q"/>
2536 <affects base="1.0.1" version="1.0.1"/>
2537 <affects base="1.0.1" version="1.0.1a"/>
2538 <affects base="1.0.1" version="1.0.1b"/>
2539 <affects base="1.0.1" version="1.0.1c"/>
2540 <affects base="1.0.1" version="1.0.1d"/>
2541 <affects base="1.0.1" version="1.0.1e"/>
2542 <affects base="1.0.1" version="1.0.1f"/>
2543 <affects base="1.0.1" version="1.0.1g"/>
2544 <affects base="1.0.1" version="1.0.1h"/>
2545 <affects base="1.0.1" version="1.0.1i"/>
2546 <affects base="1.0.1" version="1.0.1j"/>
2547 <affects base="1.0.1" version="1.0.1k"/>
2548 <affects base="1.0.1" version="1.0.1l"/>
2549 <affects base="1.0.2" version="1.0.2"/>
2550 <fixed base="0.9.8" version="0.9.8zf" date="20150319"/>
2551 <fixed base="1.0.0" version="1.0.0r" date="20150319"/>
2552 <fixed base="1.0.1" version="1.0.1m" date="20150319"/>
2553 <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
2556 This issue only affected versions of OpenSSL prior to March 19th 2015 at which
2557 time the code was refactored to address the vulnerability CVE-2015-0293.
2559 s2_srvr.c overwrite the wrong bytes in the master-key when applying
2560 Bleichenbacher protection for export cipher suites. This provides a
2561 Bleichenbacher oracle, and could potentially allow more efficient variants of
2564 <advisory url="/news/secadv/20160301.txt"/>
2565 <reported source="David Adrian and J.Alex Halderman (University of Michigan)" date="20160210"/>
2567 <issue public="20160128">
2568 <impact severity="High"/>
2569 <cve name="2016-0701"/>
2570 <affects base="1.0.2" version="1.0.2"/>
2571 <affects base="1.0.2" version="1.0.2a"/>
2572 <affects base="1.0.2" version="1.0.2b"/>
2573 <affects base="1.0.2" version="1.0.2c"/>
2574 <affects base="1.0.2" version="1.0.2d"/>
2575 <affects base="1.0.2" version="1.0.2e"/>
2576 <fixed base="1.0.2" version="1.0.2f" date="2016-0701"/>
2579 Historically OpenSSL usually only ever generated DH parameters based on "safe"
2580 primes. More recently (in version 1.0.2) support was provided for generating
2581 X9.42 style parameter files such as those required for RFC 5114 support. The
2582 primes used in such files may not be "safe". Where an application is using DH
2583 configured with parameters based on primes that are not "safe" then an attacker
2584 could use this fact to find a peer's private DH exponent. This attack requires
2585 that the attacker complete multiple handshakes in which the peer uses the same
2586 private DH exponent. For example this could be used to discover a TLS server's
2587 private DH exponent if it's reusing the private DH exponent or it's using a
2588 static DH ciphersuite.
2590 OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in TLS.
2591 It is not on by default. If the option is not set then the server reuses the
2592 same private DH exponent for the life of the server process and would be
2593 vulnerable to this attack. It is believed that many popular applications do set
2594 this option and would therefore not be at risk.
2596 OpenSSL before 1.0.2f will reuse the key if:
2597 - SSL_CTX_set_tmp_dh()/SSL_set_tmp_dh() is used and SSL_OP_SINGLE_DH_USE is not
2599 - SSL_CTX_set_tmp_dh_callback()/SSL_set_tmp_dh_callback() is used, and both the
2600 parameters and the key are set and SSL_OP_SINGLE_DH_USE is not used. This is
2601 an undocumted feature and parameter files don't contain the key.
2602 - Static DH ciphersuites are used. The key is part of the certificate and
2603 so it will always reuse it. This is only supported in 1.0.2.
2605 It will not reuse the key for DHE ciphers suites if:
2606 - SSL_OP_SINGLE_DH_USE is set
2607 - SSL_CTX_set_tmp_dh_callback()/SSL_set_tmp_dh_callback() is used and the
2608 callback does not provide the key, only the parameters. The callback is
2609 almost always used like this.
2611 Non-safe primes are generated by OpenSSL when using:
2612 - genpkey with the dh_rfc5114 option. This will write an X9.42 style file
2613 including the prime-order subgroup size "q". This is supported since the 1.0.2
2614 version. Older versions can't read files generated in this way.
2615 - dhparam with the -dsaparam option. This has always been documented as
2616 requiring the single use.
2618 The fix for this issue adds an additional check where a "q" parameter is
2619 available (as is the case in X9.42 based parameters). This detects the
2620 only known attack, and is the only possible defense for static DH ciphersuites.
2621 This could have some performance impact.
2623 Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by default
2624 and cannot be disabled. This could have some performance impact.
2626 <advisory url="/news/secadv/20160128.txt"/>
2627 <reported source="Antonio Sanso (Adobe)" date="20160112"/>
2629 <issue public="20160128">
2630 <impact severity="Low"/>
2631 <cve name="2015-3197"/>
2632 <affects base="1.0.1" version="1.0.1"/>
2633 <affects base="1.0.1" version="1.0.1a"/>
2634 <affects base="1.0.1" version="1.0.1b"/>
2635 <affects base="1.0.1" version="1.0.1c"/>
2636 <affects base="1.0.1" version="1.0.1d"/>
2637 <affects base="1.0.1" version="1.0.1e"/>
2638 <affects base="1.0.1" version="1.0.1f"/>
2639 <affects base="1.0.1" version="1.0.1g"/>
2640 <affects base="1.0.1" version="1.0.1h"/>
2641 <affects base="1.0.1" version="1.0.1i"/>
2642 <affects base="1.0.1" version="1.0.1j"/>
2643 <affects base="1.0.1" version="1.0.1k"/>
2644 <affects base="1.0.1" version="1.0.1l"/>
2645 <affects base="1.0.1" version="1.0.1m"/>
2646 <affects base="1.0.1" version="1.0.1n"/>
2647 <affects base="1.0.1" version="1.0.1o"/>
2648 <affects base="1.0.1" version="1.0.1p"/>
2649 <affects base="1.0.1" version="1.0.1q"/>
2650 <affects base="1.0.2" version="1.0.2"/>
2651 <affects base="1.0.2" version="1.0.2a"/>
2652 <affects base="1.0.2" version="1.0.2b"/>
2653 <affects base="1.0.2" version="1.0.2c"/>
2654 <affects base="1.0.2" version="1.0.2d"/>
2655 <affects base="1.0.2" version="1.0.2e"/>
2656 <fixed base="1.0.1" version="1.0.1r" date="20160128"/>
2657 <fixed base="1.0.2" version="1.0.2f" date="20160128"/>
2660 A malicious client can negotiate SSLv2 ciphers that have been disabled on the
2661 server and complete SSLv2 handshakes even if all SSLv2 ciphers have been
2662 disabled, provided that the SSLv2 protocol was not also disabled via
2665 <advisory url="/news/secadv/20160128.txt"/>
2666 <reported source="Nimrod Aviram and Sebastian Schinzel" date="20151226"/>
2668 <issue public="20150811">
2669 <impact severity="Low"/>
2670 <cve name="2015-1794"/>
2671 <affects base="1.0.2" version="1.0.2"/>
2672 <affects base="1.0.2" version="1.0.2a"/>
2673 <affects base="1.0.2" version="1.0.2b"/>
2674 <affects base="1.0.2" version="1.0.2c"/>
2675 <affects base="1.0.2" version="1.0.2d"/>
2676 <fixed base="1.0.2" version="1.0.2e" date="20151203"/>
2679 If a client receives a ServerKeyExchange for an anonymous DH ciphersuite with
2680 the value of p set to 0 then a seg fault can occur leading to a possible denial
2683 <advisory url="/news/secadv/20151203.txt"/>
2684 <reported source="Guy Leaver (Cisco)" date="20150803"/>
2686 <issue public="20151203">
2687 <cve name="2015-3193"/>
2688 <impact severity="Moderate"/>
2689 <affects base="1.0.2" version="1.0.2"/>
2690 <affects base="1.0.2" version="1.0.2a"/>
2691 <affects base="1.0.2" version="1.0.2b"/>
2692 <affects base="1.0.2" version="1.0.2c"/>
2693 <affects base="1.0.2" version="1.0.2d"/>
2694 <fixed base="1.0.2" version="1.0.2e" date="20151203"/>
2697 There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No
2698 EC algorithms are affected. Analysis suggests that attacks against RSA and DSA
2699 as a result of this defect would be very difficult to perform and are not
2700 believed likely. Attacks against DH are considered just feasible (although very
2701 difficult) because most of the work necessary to deduce information
2702 about a private key may be performed offline. The amount of resources
2703 required for such an attack would be very significant and likely only
2704 accessible to a limited number of attackers. An attacker would
2705 additionally need online access to an unpatched system using the target
2706 private key in a scenario with persistent DH parameters and a private
2707 key that is shared between multiple clients. For example this can occur by
2708 default in OpenSSL DHE based SSL/TLS ciphersuites.
2710 <advisory url="/news/secadv/20151203.txt"/>
2711 <reported source="Hanno Böck" date="20150813"/>
2713 <issue public="20151203">
2714 <cve name="2015-3194"/>
2715 <impact severity="Moderate"/>
2716 <affects base="1.0.1" version="1.0.1"/>
2717 <affects base="1.0.1" version="1.0.1a"/>
2718 <affects base="1.0.1" version="1.0.1b"/>
2719 <affects base="1.0.1" version="1.0.1c"/>
2720 <affects base="1.0.1" version="1.0.1d"/>
2721 <affects base="1.0.1" version="1.0.1e"/>
2722 <affects base="1.0.1" version="1.0.1f"/>
2723 <affects base="1.0.1" version="1.0.1g"/>
2724 <affects base="1.0.1" version="1.0.1h"/>
2725 <affects base="1.0.1" version="1.0.1i"/>
2726 <affects base="1.0.1" version="1.0.1j"/>
2727 <affects base="1.0.1" version="1.0.1k"/>
2728 <affects base="1.0.1" version="1.0.1l"/>
2729 <affects base="1.0.1" version="1.0.1m"/>
2730 <affects base="1.0.1" version="1.0.1n"/>
2731 <affects base="1.0.1" version="1.0.1o"/>
2732 <affects base="1.0.1" version="1.0.1p"/>
2733 <affects base="1.0.2" version="1.0.2"/>
2734 <affects base="1.0.2" version="1.0.2a"/>
2735 <affects base="1.0.2" version="1.0.2b"/>
2736 <affects base="1.0.2" version="1.0.2c"/>
2737 <affects base="1.0.2" version="1.0.2d"/>
2738 <fixed base="1.0.2" version="1.0.2e" date="20151203"/>
2739 <fixed base="1.0.1" version="1.0.1q" date="20151203"/>
2742 The signature verification routines will crash with a NULL pointer dereference
2743 if presented with an ASN.1 signature using the RSA PSS algorithm and absent
2744 mask generation function parameter. Since these routines are used to verify
2745 certificate signature algorithms this can be used to crash any certificate
2746 verification operation and exploited in a DoS attack. Any application which
2747 performs certificate verification is vulnerable including OpenSSL clients and
2748 servers which enable client authentication.
2750 <advisory url="/news/secadv/20151203.txt"/>
2751 <reported source="Loïc Jonas Etienne (Qnective AG)" date="20150827"/>
2753 <issue public="20151203">
2754 <cve name="2015-3195"/>
2755 <impact severity="Moderate"/>
2756 <affects base="0.9.8" version="0.9.8"/>
2757 <affects base="0.9.8" version="0.9.8a"/>
2758 <affects base="0.9.8" version="0.9.8b"/>
2759 <affects base="0.9.8" version="0.9.8c"/>
2760 <affects base="0.9.8" version="0.9.8d"/>
2761 <affects base="0.9.8" version="0.9.8e"/>
2762 <affects base="0.9.8" version="0.9.8f"/>
2763 <affects base="0.9.8" version="0.9.8g"/>
2764 <affects base="0.9.8" version="0.9.8h"/>
2765 <affects base="0.9.8" version="0.9.8i"/>
2766 <affects base="0.9.8" version="0.9.8j"/>
2767 <affects base="0.9.8" version="0.9.8k"/>
2768 <affects base="0.9.8" version="0.9.8l"/>
2769 <affects base="0.9.8" version="0.9.8m"/>
2770 <affects base="0.9.8" version="0.9.8n"/>
2771 <affects base="0.9.8" version="0.9.8o"/>
2772 <affects base="0.9.8" version="0.9.8p"/>
2773 <affects base="0.9.8" version="0.9.8q"/>
2774 <affects base="0.9.8" version="0.9.8r"/>
2775 <affects base="0.9.8" version="0.9.8s"/>
2776 <affects base="0.9.8" version="0.9.8t"/>
2777 <affects base="0.9.8" version="0.9.8u"/>
2778 <affects base="0.9.8" version="0.9.8v"/>
2779 <affects base="0.9.8" version="0.9.8w"/>
2780 <affects base="0.9.8" version="0.9.8x"/>
2781 <affects base="0.9.8" version="0.9.8y"/>
2782 <affects base="0.9.8" version="0.9.8za"/>
2783 <affects base="0.9.8" version="0.9.8zb"/>
2784 <affects base="0.9.8" version="0.9.8zc"/>
2785 <affects base="0.9.8" version="0.9.8zd"/>
2786 <affects base="0.9.8" version="0.9.8ze"/>
2787 <affects base="0.9.8" version="0.9.8zf"/>
2788 <affects base="0.9.8" version="0.9.8zg"/>
2789 <affects base="1.0.0" version="1.0.0"/>
2790 <affects base="1.0.0" version="1.0.0a"/>
2791 <affects base="1.0.0" version="1.0.0b"/>
2792 <affects base="1.0.0" version="1.0.0c"/>
2793 <affects base="1.0.0" version="1.0.0d"/>
2794 <affects base="1.0.0" version="1.0.0e"/>
2795 <affects base="1.0.0" version="1.0.0f"/>
2796 <affects base="1.0.0" version="1.0.0g"/>
2797 <affects base="1.0.0" version="1.0.0h"/>
2798 <affects base="1.0.0" version="1.0.0i"/>
2799 <affects base="1.0.0" version="1.0.0j"/>
2800 <affects base="1.0.0" version="1.0.0k"/>
2801 <affects base="1.0.0" version="1.0.0l"/>
2802 <affects base="1.0.0" version="1.0.0m"/>
2803 <affects base="1.0.0" version="1.0.0n"/>
2804 <affects base="1.0.0" version="1.0.0o"/>
2805 <affects base="1.0.0" version="1.0.0p"/>
2806 <affects base="1.0.0" version="1.0.0q"/>
2807 <affects base="1.0.0" version="1.0.0r"/>
2808 <affects base="1.0.0" version="1.0.0s"/>
2809 <affects base="1.0.1" version="1.0.1"/>
2810 <affects base="1.0.1" version="1.0.1a"/>
2811 <affects base="1.0.1" version="1.0.1b"/>
2812 <affects base="1.0.1" version="1.0.1c"/>
2813 <affects base="1.0.1" version="1.0.1d"/>
2814 <affects base="1.0.1" version="1.0.1e"/>
2815 <affects base="1.0.1" version="1.0.1f"/>
2816 <affects base="1.0.1" version="1.0.1g"/>
2817 <affects base="1.0.1" version="1.0.1h"/>
2818 <affects base="1.0.1" version="1.0.1i"/>
2819 <affects base="1.0.1" version="1.0.1j"/>
2820 <affects base="1.0.1" version="1.0.1k"/>
2821 <affects base="1.0.1" version="1.0.1l"/>
2822 <affects base="1.0.1" version="1.0.1m"/>
2823 <affects base="1.0.1" version="1.0.1n"/>
2824 <affects base="1.0.1" version="1.0.1o"/>
2825 <affects base="1.0.1" version="1.0.1p"/>
2826 <affects base="1.0.2" version="1.0.2"/>
2827 <affects base="1.0.2" version="1.0.2a"/>
2828 <affects base="1.0.2" version="1.0.2b"/>
2829 <affects base="1.0.2" version="1.0.2c"/>
2830 <affects base="1.0.2" version="1.0.2d"/>
2831 <fixed base="1.0.2" version="1.0.2e" date="20151203"/>
2832 <fixed base="1.0.1" version="1.0.1q" date="20151203"/>
2833 <fixed base="1.0.0" version="1.0.0t" date="20151203"/>
2834 <fixed base="0.9.8" version="0.9.8zh" date="20151203"/>
2837 When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak
2838 memory. This structure is used by the PKCS#7 and CMS routines so any
2839 application which reads PKCS#7 or CMS data from untrusted sources is affected.
2840 SSL/TLS is not affected.
2842 <advisory url="/news/secadv/20151203.txt"/>
2843 <reported source="Adam Langley (Google/BoringSSL) using libFuzzer" date="20151109"/>
2845 <issue public="20151203">
2846 <cve name="2015-3196"/>
2847 <impact severity="Low"/>
2848 <affects base="1.0.0" version="1.0.0"/>
2849 <affects base="1.0.0" version="1.0.0a"/>
2850 <affects base="1.0.0" version="1.0.0b"/>
2851 <affects base="1.0.0" version="1.0.0c"/>
2852 <affects base="1.0.0" version="1.0.0d"/>
2853 <affects base="1.0.0" version="1.0.0e"/>
2854 <affects base="1.0.0" version="1.0.0f"/>
2855 <affects base="1.0.0" version="1.0.0g"/>
2856 <affects base="1.0.0" version="1.0.0h"/>
2857 <affects base="1.0.0" version="1.0.0i"/>
2858 <affects base="1.0.0" version="1.0.0j"/>
2859 <affects base="1.0.0" version="1.0.0k"/>
2860 <affects base="1.0.0" version="1.0.0l"/>
2861 <affects base="1.0.0" version="1.0.0m"/>
2862 <affects base="1.0.0" version="1.0.0n"/>
2863 <affects base="1.0.0" version="1.0.0o"/>
2864 <affects base="1.0.0" version="1.0.0p"/>
2865 <affects base="1.0.0" version="1.0.0q"/>
2866 <affects base="1.0.0" version="1.0.0r"/>
2867 <affects base="1.0.0" version="1.0.0s"/>
2868 <affects base="1.0.1" version="1.0.1"/>
2869 <affects base="1.0.1" version="1.0.1a"/>
2870 <affects base="1.0.1" version="1.0.1b"/>
2871 <affects base="1.0.1" version="1.0.1c"/>
2872 <affects base="1.0.1" version="1.0.1d"/>
2873 <affects base="1.0.1" version="1.0.1e"/>
2874 <affects base="1.0.1" version="1.0.1f"/>
2875 <affects base="1.0.1" version="1.0.1g"/>
2876 <affects base="1.0.1" version="1.0.1h"/>
2877 <affects base="1.0.1" version="1.0.1i"/>
2878 <affects base="1.0.1" version="1.0.1j"/>
2879 <affects base="1.0.1" version="1.0.1k"/>
2880 <affects base="1.0.1" version="1.0.1l"/>
2881 <affects base="1.0.1" version="1.0.1m"/>
2882 <affects base="1.0.1" version="1.0.1n"/>
2883 <affects base="1.0.1" version="1.0.1o"/>
2884 <affects base="1.0.2" version="1.0.2"/>
2885 <affects base="1.0.2" version="1.0.2a"/>
2886 <affects base="1.0.2" version="1.0.2b"/>
2887 <affects base="1.0.2" version="1.0.2c"/>
2888 <fixed base="1.0.2" version="1.0.2d" date="20150709"/>
2889 <fixed base="1.0.1" version="1.0.1p" date="20150709"/>
2890 <fixed base="1.0.0" version="1.0.0t" date="20151203"/>
2893 If PSK identity hints are received by a multi-threaded client then
2894 the values are wrongly updated in the parent SSL_CTX structure. This can
2895 result in a race condition potentially leading to a double free of the
2898 <advisory url="/news/secadv/20151203.txt"/>
2899 <reported source="Stephen Henson (OpenSSL)"/>
2902 <issue public="20150709">
2903 <cve name="2015-1793"/>
2904 <impact severity="High"/>
2905 <affects base="1.0.1" version="1.0.1n"/>
2906 <affects base="1.0.1" version="1.0.1o"/>
2907 <affects base="1.0.2" version="1.0.2b"/>
2908 <affects base="1.0.2" version="1.0.2c"/>
2909 <fixed base="1.0.2" version="1.0.2d" date="20150709"/>
2910 <fixed base="1.0.1" version="1.0.1p" date="20150709"/>
2913 An error in the implementation of the alternative certificate
2914 chain logic could allow an attacker to cause certain checks on
2915 untrusted certificates to be bypassed, such as the CA flag,
2916 enabling them to use a valid leaf certificate to act as a CA and
2917 "issue" an invalid certificate.
2919 <advisory url="/news/secadv/20150709.txt"/>
2920 <reported source="Adam Langley and David Benjamin (Google/BoringSSL)" date="20150624"/>
2922 <issue public="20150611">
2923 <cve name="2015-1788"/>
2924 <impact severity="Moderate"/>
2925 <affects base="0.9.8" version="0.9.8"/>
2926 <affects base="0.9.8" version="0.9.8a"/>
2927 <affects base="0.9.8" version="0.9.8b"/>
2928 <affects base="0.9.8" version="0.9.8c"/>
2929 <affects base="0.9.8" version="0.9.8d"/>
2930 <affects base="0.9.8" version="0.9.8e"/>
2931 <affects base="0.9.8" version="0.9.8f"/>
2932 <affects base="0.9.8" version="0.9.8g"/>
2933 <affects base="0.9.8" version="0.9.8h"/>
2934 <affects base="0.9.8" version="0.9.8i"/>
2935 <affects base="0.9.8" version="0.9.8j"/>
2936 <affects base="0.9.8" version="0.9.8k"/>
2937 <affects base="0.9.8" version="0.9.8l"/>
2938 <affects base="0.9.8" version="0.9.8m"/>
2939 <affects base="0.9.8" version="0.9.8n"/>
2940 <affects base="0.9.8" version="0.9.8o"/>
2941 <affects base="0.9.8" version="0.9.8p"/>
2942 <affects base="0.9.8" version="0.9.8q"/>
2943 <affects base="0.9.8" version="0.9.8r"/>
2944 <affects base="1.0.0" version="1.0.0"/>
2945 <affects base="1.0.0" version="1.0.0a"/>
2946 <affects base="1.0.0" version="1.0.0b"/>
2947 <affects base="1.0.0" version="1.0.0c"/>
2948 <affects base="1.0.0" version="1.0.0d"/>
2949 <affects base="1.0.1" version="1.0.1"/>
2950 <affects base="1.0.1" version="1.0.1a"/>
2951 <affects base="1.0.1" version="1.0.1b"/>
2952 <affects base="1.0.1" version="1.0.1c"/>
2953 <affects base="1.0.1" version="1.0.1d"/>
2954 <affects base="1.0.1" version="1.0.1e"/>
2955 <affects base="1.0.1" version="1.0.1f"/>
2956 <affects base="1.0.1" version="1.0.1g"/>
2957 <affects base="1.0.1" version="1.0.1h"/>
2958 <affects base="1.0.1" version="1.0.1i"/>
2959 <affects base="1.0.1" version="1.0.1j"/>
2960 <affects base="1.0.1" version="1.0.1k"/>
2961 <affects base="1.0.1" version="1.0.1l"/>
2962 <affects base="1.0.1" version="1.0.1m"/>
2963 <affects base="1.0.2" version="1.0.2"/>
2964 <affects base="1.0.2" version="1.0.2a"/>
2965 <fixed base="1.0.2" version="1.0.2b" date="20150611"/>
2966 <fixed base="1.0.1" version="1.0.1n" date="20150611"/>
2967 <fixed base="1.0.0" version="1.0.0e" date="20110906"/>
2968 <fixed base="0.9.8" version="0.9.8s" date="20120104"/>
2971 When processing an ECParameters structure OpenSSL enters an infinite loop if
2972 the curve specified is over a specially malformed binary polynomial field.
2974 This can be used to perform denial of service against any
2975 system which processes public keys, certificate requests or
2976 certificates. This includes TLS clients and TLS servers with
2977 client authentication enabled.
2979 <advisory url="/news/secadv/20150611.txt"/>
2980 <reported source="Joseph Birr-Pixton" date="20150406"/>
2983 <issue public="20150611">
2984 <cve name="2015-1789"/>
2985 <impact severity="Moderate"/>
2986 <affects base="0.9.8" version="0.9.8"/>
2987 <affects base="0.9.8" version="0.9.8a"/>
2988 <affects base="0.9.8" version="0.9.8b"/>
2989 <affects base="0.9.8" version="0.9.8c"/>
2990 <affects base="0.9.8" version="0.9.8d"/>
2991 <affects base="0.9.8" version="0.9.8e"/>
2992 <affects base="0.9.8" version="0.9.8f"/>
2993 <affects base="0.9.8" version="0.9.8g"/>
2994 <affects base="0.9.8" version="0.9.8h"/>
2995 <affects base="0.9.8" version="0.9.8i"/>
2996 <affects base="0.9.8" version="0.9.8j"/>
2997 <affects base="0.9.8" version="0.9.8k"/>
2998 <affects base="0.9.8" version="0.9.8l"/>
2999 <affects base="0.9.8" version="0.9.8m"/>
3000 <affects base="0.9.8" version="0.9.8n"/>
3001 <affects base="0.9.8" version="0.9.8o"/>
3002 <affects base="0.9.8" version="0.9.8p"/>
3003 <affects base="0.9.8" version="0.9.8q"/>
3004 <affects base="0.9.8" version="0.9.8r"/>
3005 <affects base="0.9.8" version="0.9.8s"/>
3006 <affects base="0.9.8" version="0.9.8t"/>
3007 <affects base="0.9.8" version="0.9.8u"/>
3008 <affects base="0.9.8" version="0.9.8v"/>
3009 <affects base="0.9.8" version="0.9.8w"/>
3010 <affects base="0.9.8" version="0.9.8x"/>
3011 <affects base="0.9.8" version="0.9.8y"/>
3012 <affects base="0.9.8" version="0.9.8za"/>
3013 <affects base="0.9.8" version="0.9.8zb"/>
3014 <affects base="0.9.8" version="0.9.8zc"/>
3015 <affects base="0.9.8" version="0.9.8zd"/>
3016 <affects base="0.9.8" version="0.9.8ze"/>
3017 <affects base="0.9.8" version="0.9.8zf"/>
3018 <affects base="1.0.0" version="1.0.0"/>
3019 <affects base="1.0.0" version="1.0.0a"/>
3020 <affects base="1.0.0" version="1.0.0b"/>
3021 <affects base="1.0.0" version="1.0.0c"/>
3022 <affects base="1.0.0" version="1.0.0d"/>
3023 <affects base="1.0.0" version="1.0.0e"/>
3024 <affects base="1.0.0" version="1.0.0f"/>
3025 <affects base="1.0.0" version="1.0.0g"/>
3026 <affects base="1.0.0" version="1.0.0i"/>
3027 <affects base="1.0.0" version="1.0.0j"/>
3028 <affects base="1.0.0" version="1.0.0k"/>
3029 <affects base="1.0.0" version="1.0.0l"/>
3030 <affects base="1.0.0" version="1.0.0m"/>
3031 <affects base="1.0.0" version="1.0.0n"/>
3032 <affects base="1.0.0" version="1.0.0o"/>
3033 <affects base="1.0.0" version="1.0.0p"/>
3034 <affects base="1.0.0" version="1.0.0q"/>
3035 <affects base="1.0.0" version="1.0.0r"/>
3036 <affects base="1.0.1" version="1.0.1"/>
3037 <affects base="1.0.1" version="1.0.1a"/>
3038 <affects base="1.0.1" version="1.0.1b"/>
3039 <affects base="1.0.1" version="1.0.1c"/>
3040 <affects base="1.0.1" version="1.0.1d"/>
3041 <affects base="1.0.1" version="1.0.1e"/>
3042 <affects base="1.0.1" version="1.0.1f"/>
3043 <affects base="1.0.1" version="1.0.1g"/>
3044 <affects base="1.0.1" version="1.0.1h"/>
3045 <affects base="1.0.1" version="1.0.1i"/>
3046 <affects base="1.0.1" version="1.0.1j"/>
3047 <affects base="1.0.1" version="1.0.1k"/>
3048 <affects base="1.0.1" version="1.0.1l"/>
3049 <affects base="1.0.1" version="1.0.1m"/>
3050 <affects base="1.0.2" version="1.0.2"/>
3051 <affects base="1.0.2" version="1.0.2a"/>
3052 <fixed base="1.0.2" version="1.0.2b" date="20150611"/>
3053 <fixed base="1.0.1" version="1.0.1n" date="20150611"/>
3054 <fixed base="1.0.0" version="1.0.0s" date="20150611"/>
3055 <fixed base="0.9.8" version="0.9.8zg" date="20150611"/>
3058 X509_cmp_time does not properly check the length of the ASN1_TIME
3059 string and can read a few bytes out of bounds. In addition,
3060 X509_cmp_time accepts an arbitrary number of fractional seconds in the
3063 An attacker can use this to craft malformed certificates and CRLs of
3064 various sizes and potentially cause a segmentation fault, resulting in
3065 a DoS on applications that verify certificates or CRLs. TLS clients
3066 that verify CRLs are affected. TLS clients and servers with client
3067 authentication enabled may be affected if they use custom verification
3070 <advisory url="/news/secadv/20150611.txt"/>
3071 <reported source="Robert Święcki (Google Security Team)" date="20150408"/>
3072 <reported source="Hanno Böck" date="20150411"/>
3075 <issue public="20150611">
3076 <cve name="2015-1790"/>
3077 <impact severity="Moderate"/>
3078 <affects base="0.9.8" version="0.9.8"/>
3079 <affects base="0.9.8" version="0.9.8a"/>
3080 <affects base="0.9.8" version="0.9.8b"/>
3081 <affects base="0.9.8" version="0.9.8c"/>
3082 <affects base="0.9.8" version="0.9.8d"/>
3083 <affects base="0.9.8" version="0.9.8e"/>
3084 <affects base="0.9.8" version="0.9.8f"/>
3085 <affects base="0.9.8" version="0.9.8g"/>
3086 <affects base="0.9.8" version="0.9.8h"/>
3087 <affects base="0.9.8" version="0.9.8i"/>
3088 <affects base="0.9.8" version="0.9.8j"/>
3089 <affects base="0.9.8" version="0.9.8k"/>
3090 <affects base="0.9.8" version="0.9.8l"/>
3091 <affects base="0.9.8" version="0.9.8m"/>
3092 <affects base="0.9.8" version="0.9.8n"/>
3093 <affects base="0.9.8" version="0.9.8o"/>
3094 <affects base="0.9.8" version="0.9.8p"/>
3095 <affects base="0.9.8" version="0.9.8q"/>
3096 <affects base="0.9.8" version="0.9.8r"/>
3097 <affects base="0.9.8" version="0.9.8s"/>
3098 <affects base="0.9.8" version="0.9.8t"/>
3099 <affects base="0.9.8" version="0.9.8u"/>
3100 <affects base="0.9.8" version="0.9.8v"/>
3101 <affects base="0.9.8" version="0.9.8w"/>
3102 <affects base="0.9.8" version="0.9.8x"/>
3103 <affects base="0.9.8" version="0.9.8y"/>
3104 <affects base="0.9.8" version="0.9.8za"/>
3105 <affects base="0.9.8" version="0.9.8zb"/>
3106 <affects base="0.9.8" version="0.9.8zc"/>
3107 <affects base="0.9.8" version="0.9.8zd"/>
3108 <affects base="0.9.8" version="0.9.8ze"/>
3109 <affects base="0.9.8" version="0.9.8zf"/>
3110 <affects base="1.0.0" version="1.0.0"/>
3111 <affects base="1.0.0" version="1.0.0a"/>
3112 <affects base="1.0.0" version="1.0.0b"/>
3113 <affects base="1.0.0" version="1.0.0c"/>
3114 <affects base="1.0.0" version="1.0.0d"/>
3115 <affects base="1.0.0" version="1.0.0e"/>
3116 <affects base="1.0.0" version="1.0.0f"/>
3117 <affects base="1.0.0" version="1.0.0g"/>
3118 <affects base="1.0.0" version="1.0.0i"/>
3119 <affects base="1.0.0" version="1.0.0j"/>
3120 <affects base="1.0.0" version="1.0.0k"/>
3121 <affects base="1.0.0" version="1.0.0l"/>
3122 <affects base="1.0.0" version="1.0.0m"/>
3123 <affects base="1.0.0" version="1.0.0n"/>
3124 <affects base="1.0.0" version="1.0.0o"/>
3125 <affects base="1.0.0" version="1.0.0p"/>
3126 <affects base="1.0.0" version="1.0.0q"/>
3127 <affects base="1.0.0" version="1.0.0r"/>
3128 <affects base="1.0.1" version="1.0.1"/>
3129 <affects base="1.0.1" version="1.0.1a"/>
3130 <affects base="1.0.1" version="1.0.1b"/>
3131 <affects base="1.0.1" version="1.0.1c"/>
3132 <affects base="1.0.1" version="1.0.1d"/>
3133 <affects base="1.0.1" version="1.0.1e"/>
3134 <affects base="1.0.1" version="1.0.1f"/>
3135 <affects base="1.0.1" version="1.0.1g"/>
3136 <affects base="1.0.1" version="1.0.1h"/>
3137 <affects base="1.0.1" version="1.0.1i"/>
3138 <affects base="1.0.1" version="1.0.1j"/>
3139 <affects base="1.0.1" version="1.0.1k"/>
3140 <affects base="1.0.1" version="1.0.1l"/>
3141 <affects base="1.0.1" version="1.0.1m"/>
3142 <affects base="1.0.2" version="1.0.2"/>
3143 <affects base="1.0.2" version="1.0.2a"/>
3144 <fixed base="1.0.2" version="1.0.2b" date="20150611"/>
3145 <fixed base="1.0.1" version="1.0.1n" date="20150611"/>
3146 <fixed base="1.0.0" version="1.0.0s" date="20150611"/>
3147 <fixed base="0.9.8" version="0.9.8zg" date="20150611"/>
3150 The PKCS#7 parsing code does not handle missing inner EncryptedContent
3151 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
3152 with missing content and trigger a NULL pointer dereference on parsing.
3154 Applications that decrypt PKCS#7 data or otherwise parse PKCS#7
3155 structures from untrusted sources are affected. OpenSSL clients and
3156 servers are not affected.
3158 <advisory url="/news/secadv/20150611.txt"/>
3159 <reported source="Michal Zalewski (Google)" date="20150418"/>
3162 <issue public="20150611">
3163 <cve name="2015-1792"/>
3164 <impact severity="Moderate"/>
3165 <affects base="0.9.8" version="0.9.8"/>
3166 <affects base="0.9.8" version="0.9.8a"/>
3167 <affects base="0.9.8" version="0.9.8b"/>
3168 <affects base="0.9.8" version="0.9.8c"/>
3169 <affects base="0.9.8" version="0.9.8d"/>
3170 <affects base="0.9.8" version="0.9.8e"/>
3171 <affects base="0.9.8" version="0.9.8f"/>
3172 <affects base="0.9.8" version="0.9.8g"/>
3173 <affects base="0.9.8" version="0.9.8h"/>
3174 <affects base="0.9.8" version="0.9.8i"/>
3175 <affects base="0.9.8" version="0.9.8j"/>
3176 <affects base="0.9.8" version="0.9.8k"/>
3177 <affects base="0.9.8" version="0.9.8l"/>
3178 <affects base="0.9.8" version="0.9.8m"/>
3179 <affects base="0.9.8" version="0.9.8n"/>
3180 <affects base="0.9.8" version="0.9.8o"/>
3181 <affects base="0.9.8" version="0.9.8p"/>
3182 <affects base="0.9.8" version="0.9.8q"/>
3183 <affects base="0.9.8" version="0.9.8r"/>
3184 <affects base="0.9.8" version="0.9.8s"/>
3185 <affects base="0.9.8" version="0.9.8t"/>
3186 <affects base="0.9.8" version="0.9.8u"/>
3187 <affects base="0.9.8" version="0.9.8v"/>
3188 <affects base="0.9.8" version="0.9.8w"/>
3189 <affects base="0.9.8" version="0.9.8x"/>
3190 <affects base="0.9.8" version="0.9.8y"/>
3191 <affects base="0.9.8" version="0.9.8za"/>
3192 <affects base="0.9.8" version="0.9.8zb"/>
3193 <affects base="0.9.8" version="0.9.8zc"/>
3194 <affects base="0.9.8" version="0.9.8zd"/>
3195 <affects base="0.9.8" version="0.9.8ze"/>
3196 <affects base="0.9.8" version="0.9.8zf"/>
3197 <affects base="1.0.0" version="1.0.0"/>
3198 <affects base="1.0.0" version="1.0.0a"/>
3199 <affects base="1.0.0" version="1.0.0b"/>
3200 <affects base="1.0.0" version="1.0.0c"/>
3201 <affects base="1.0.0" version="1.0.0d"/>
3202 <affects base="1.0.0" version="1.0.0e"/>
3203 <affects base="1.0.0" version="1.0.0f"/>
3204 <affects base="1.0.0" version="1.0.0g"/>
3205 <affects base="1.0.0" version="1.0.0i"/>
3206 <affects base="1.0.0" version="1.0.0j"/>
3207 <affects base="1.0.0" version="1.0.0k"/>
3208 <affects base="1.0.0" version="1.0.0l"/>
3209 <affects base="1.0.0" version="1.0.0m"/>
3210 <affects base="1.0.0" version="1.0.0n"/>
3211 <affects base="1.0.0" version="1.0.0o"/>
3212 <affects base="1.0.0" version="1.0.0p"/>
3213 <affects base="1.0.0" version="1.0.0q"/>
3214 <affects base="1.0.0" version="1.0.0r"/>
3215 <affects base="1.0.1" version="1.0.1"/>
3216 <affects base="1.0.1" version="1.0.1a"/>
3217 <affects base="1.0.1" version="1.0.1b"/>
3218 <affects base="1.0.1" version="1.0.1c"/>
3219 <affects base="1.0.1" version="1.0.1d"/>
3220 <affects base="1.0.1" version="1.0.1e"/>
3221 <affects base="1.0.1" version="1.0.1f"/>
3222 <affects base="1.0.1" version="1.0.1g"/>
3223 <affects base="1.0.1" version="1.0.1h"/>
3224 <affects base="1.0.1" version="1.0.1i"/>
3225 <affects base="1.0.1" version="1.0.1j"/>
3226 <affects base="1.0.1" version="1.0.1k"/>
3227 <affects base="1.0.1" version="1.0.1l"/>
3228 <affects base="1.0.1" version="1.0.1m"/>
3229 <affects base="1.0.2" version="1.0.2"/>
3230 <affects base="1.0.2" version="1.0.2a"/>
3231 <fixed base="1.0.2" version="1.0.2b" date="20150611"/>
3232 <fixed base="1.0.1" version="1.0.1n" date="20150611"/>
3233 <fixed base="1.0.0" version="1.0.0s" date="20150611"/>
3234 <fixed base="0.9.8" version="0.9.8zg" date="20150611"/>
3237 When verifying a signedData message the CMS code can enter an infinite loop
3238 if presented with an unknown hash function OID.
3240 This can be used to perform denial of service against any system which
3241 verifies signedData messages using the CMS code.
3243 <advisory url="/news/secadv/20150611.txt"/>
3244 <reported source="Johannes Bauer" date="20150331"/>
3247 <issue public="20150602">
3248 <cve name="2015-1791"/>
3249 <impact severity="Low"/>
3250 <affects base="0.9.8" version="0.9.8"/>
3251 <affects base="0.9.8" version="0.9.8a"/>
3252 <affects base="0.9.8" version="0.9.8b"/>
3253 <affects base="0.9.8" version="0.9.8c"/>
3254 <affects base="0.9.8" version="0.9.8d"/>
3255 <affects base="0.9.8" version="0.9.8e"/>
3256 <affects base="0.9.8" version="0.9.8f"/>
3257 <affects base="0.9.8" version="0.9.8g"/>
3258 <affects base="0.9.8" version="0.9.8h"/>
3259 <affects base="0.9.8" version="0.9.8i"/>
3260 <affects base="0.9.8" version="0.9.8j"/>
3261 <affects base="0.9.8" version="0.9.8k"/>
3262 <affects base="0.9.8" version="0.9.8l"/>
3263 <affects base="0.9.8" version="0.9.8m"/>
3264 <affects base="0.9.8" version="0.9.8n"/>
3265 <affects base="0.9.8" version="0.9.8o"/>
3266 <affects base="0.9.8" version="0.9.8p"/>
3267 <affects base="0.9.8" version="0.9.8q"/>
3268 <affects base="0.9.8" version="0.9.8r"/>
3269 <affects base="0.9.8" version="0.9.8s"/>
3270 <affects base="0.9.8" version="0.9.8t"/>
3271 <affects base="0.9.8" version="0.9.8u"/>
3272 <affects base="0.9.8" version="0.9.8v"/>
3273 <affects base="0.9.8" version="0.9.8w"/>
3274 <affects base="0.9.8" version="0.9.8x"/>
3275 <affects base="0.9.8" version="0.9.8y"/>
3276 <affects base="0.9.8" version="0.9.8za"/>
3277 <affects base="0.9.8" version="0.9.8zb"/>
3278 <affects base="0.9.8" version="0.9.8zc"/>
3279 <affects base="0.9.8" version="0.9.8zd"/>
3280 <affects base="0.9.8" version="0.9.8ze"/>
3281 <affects base="0.9.8" version="0.9.8zf"/>
3282 <affects base="1.0.0" version="1.0.0"/>
3283 <affects base="1.0.0" version="1.0.0a"/>
3284 <affects base="1.0.0" version="1.0.0b"/>
3285 <affects base="1.0.0" version="1.0.0c"/>
3286 <affects base="1.0.0" version="1.0.0d"/>
3287 <affects base="1.0.0" version="1.0.0e"/>
3288 <affects base="1.0.0" version="1.0.0f"/>
3289 <affects base="1.0.0" version="1.0.0g"/>
3290 <affects base="1.0.0" version="1.0.0i"/>
3291 <affects base="1.0.0" version="1.0.0j"/>
3292 <affects base="1.0.0" version="1.0.0k"/>
3293 <affects base="1.0.0" version="1.0.0l"/>
3294 <affects base="1.0.0" version="1.0.0m"/>
3295 <affects base="1.0.0" version="1.0.0n"/>
3296 <affects base="1.0.0" version="1.0.0o"/>
3297 <affects base="1.0.0" version="1.0.0p"/>
3298 <affects base="1.0.0" version="1.0.0q"/>
3299 <affects base="1.0.0" version="1.0.0r"/>
3300 <affects base="1.0.1" version="1.0.1"/>
3301 <affects base="1.0.1" version="1.0.1a"/>
3302 <affects base="1.0.1" version="1.0.1b"/>
3303 <affects base="1.0.1" version="1.0.1c"/>
3304 <affects base="1.0.1" version="1.0.1d"/>
3305 <affects base="1.0.1" version="1.0.1e"/>
3306 <affects base="1.0.1" version="1.0.1f"/>
3307 <affects base="1.0.1" version="1.0.1g"/>
3308 <affects base="1.0.1" version="1.0.1h"/>
3309 <affects base="1.0.1" version="1.0.1i"/>
3310 <affects base="1.0.1" version="1.0.1j"/>
3311 <affects base="1.0.1" version="1.0.1k"/>
3312 <affects base="1.0.1" version="1.0.1l"/>
3313 <affects base="1.0.1" version="1.0.1m"/>
3314 <affects base="1.0.2" version="1.0.2"/>
3315 <affects base="1.0.2" version="1.0.2a"/>
3316 <fixed base="1.0.2" version="1.0.2b" date="20150611"/>
3317 <fixed base="1.0.1" version="1.0.1n" date="20150611"/>
3318 <fixed base="1.0.0" version="1.0.0s" date="20150611"/>
3319 <fixed base="0.9.8" version="0.9.8zg" date="20150611"/>
3322 If a NewSessionTicket is received by a multi-threaded client when attempting to
3323 reuse a previous ticket then a race condition can occur potentially leading to
3324 a double free of the ticket data.
3326 <advisory url="/news/secadv/20150611.txt"/>
3327 <reported source="Emilia Käsper (OpenSSL)"/>
3330 <issue public="20150611">
3331 <cve name="2014-8176"/>
3332 <impact severity="Moderate"/>
3333 <affects base="0.9.8" version="0.9.8"/>
3334 <affects base="0.9.8" version="0.9.8a"/>
3335 <affects base="0.9.8" version="0.9.8b"/>
3336 <affects base="0.9.8" version="0.9.8c"/>
3337 <affects base="0.9.8" version="0.9.8d"/>
3338 <affects base="0.9.8" version="0.9.8e"/>
3339 <affects base="0.9.8" version="0.9.8f"/>
3340 <affects base="0.9.8" version="0.9.8g"/>
3341 <affects base="0.9.8" version="0.9.8h"/>
3342 <affects base="0.9.8" version="0.9.8i"/>
3343 <affects base="0.9.8" version="0.9.8j"/>
3344 <affects base="0.9.8" version="0.9.8k"/>
3345 <affects base="0.9.8" version="0.9.8l"/>
3346 <affects base="0.9.8" version="0.9.8m"/>
3347 <affects base="0.9.8" version="0.9.8n"/>
3348 <affects base="0.9.8" version="0.9.8o"/>
3349 <affects base="0.9.8" version="0.9.8p"/>
3350 <affects base="0.9.8" version="0.9.8q"/>
3351 <affects base="0.9.8" version="0.9.8r"/>
3352 <affects base="0.9.8" version="0.9.8s"/>
3353 <affects base="0.9.8" version="0.9.8t"/>
3354 <affects base="0.9.8" version="0.9.8u"/>
3355 <affects base="0.9.8" version="0.9.8v"/>
3356 <affects base="0.9.8" version="0.9.8w"/>
3357 <affects base="0.9.8" version="0.9.8x"/>
3358 <affects base="0.9.8" version="0.9.8y"/>
3359 <affects base="1.0.0" version="1.0.0"/>
3360 <affects base="1.0.0" version="1.0.0a"/>
3361 <affects base="1.0.0" version="1.0.0b"/>
3362 <affects base="1.0.0" version="1.0.0c"/>
3363 <affects base="1.0.0" version="1.0.0d"/>
3364 <affects base="1.0.0" version="1.0.0e"/>
3365 <affects base="1.0.0" version="1.0.0f"/>
3366 <affects base="1.0.0" version="1.0.0g"/>
3367 <affects base="1.0.0" version="1.0.0i"/>
3368 <affects base="1.0.0" version="1.0.0j"/>
3369 <affects base="1.0.0" version="1.0.0k"/>
3370 <affects base="1.0.0" version="1.0.0l"/>
3371 <affects base="1.0.1" version="1.0.1"/>
3372 <affects base="1.0.1" version="1.0.1a"/>
3373 <affects base="1.0.1" version="1.0.1b"/>
3374 <affects base="1.0.1" version="1.0.1c"/>
3375 <affects base="1.0.1" version="1.0.1d"/>
3376 <affects base="1.0.1" version="1.0.1e"/>
3377 <affects base="1.0.1" version="1.0.1f"/>
3378 <affects base="1.0.1" version="1.0.1g"/>
3379 <fixed base="1.0.1" version="1.0.1h" date="20140605"/>
3380 <fixed base="1.0.0" version="1.0.0m" date="20140605"/>
3381 <fixed base="0.9.8" version="0.9.8za" date="20140605"/>
3383 This vulnerability does not affect current versions of OpenSSL. It
3384 existed in previous OpenSSL versions and was fixed in June 2014.
3386 If a DTLS peer receives application data between the ChangeCipherSpec
3387 and Finished messages, buffering of such data may cause an invalid
3388 free, resulting in a segmentation fault or potentially, memory
3391 <advisory url="/news/secadv/20150611.txt"/>
3392 <reported source="Praveen Kariyanahalli, and subsequently by Ivan Fratric and Felix Groebert (Google)" date="20140328"/>
3394 <issue public="20150319">
3395 <impact severity="High"/>
3396 <cve name="2015-0291"/>
3397 <affects base="1.0.2" version="1.0.2"/>
3398 <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
3401 ClientHello sigalgs DoS. If a client connects to an OpenSSL 1.0.2 server and renegotiates with an
3402 invalid signature algorithms extension a NULL pointer dereference will occur.
3403 This can be exploited in a DoS attack against the server.
3405 <advisory url="/news/secadv/20150319.txt"/>
3406 <reported source=" David Ramos (Stanford University)" date="20150226"/>
3409 <issue public="20150319">
3410 <cve name="2015-0290"/>
3411 <impact severity="Moderate"/>
3412 <affects base="1.0.2" version="1.0.2"/>
3413 <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
3416 Multiblock corrupted pointer.
3417 OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This feature
3418 only applies on 64 bit x86 architecture platforms that support AES NI
3419 instructions. A defect in the implementation of "multiblock" can cause OpenSSL's
3420 internal write buffer to become incorrectly set to NULL when using non-blocking
3421 IO. Typically, when the user application is using a socket BIO for writing, this
3422 will only result in a failed connection. However if some other BIO is used then
3423 it is likely that a segmentation fault will be triggered, thus enabling a
3424 potential DoS attack.
3426 <advisory url="/news/secadv/20150319.txt"/>
3427 <reported source="Daniel Danner and Rainer Mueller" date="20150213"/>
3430 <issue public="20150319">
3431 <cve name="2015-0207"/>
3432 <impact severity="Moderate"/>
3433 <affects base="1.0.2" version="1.0.2"/>
3434 <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
3437 Segmentation fault in DTLSv1_listen.
3438 A defect in the implementation of DTLSv1_listen means that state is preserved in
3439 the SSL object from one invocation to the next that can lead to a segmentation
3440 fault. Errors processing the initial ClientHello can trigger this scenario. An
3441 example of such an error could be that a DTLS1.0 only client is attempting to
3442 connect to a DTLS1.2 only server.
3444 <advisory url="/news/secadv/20150319.txt"/>
3445 <reported source="Per Allansson" date="20150127"/>
3448 <issue public="20150319">
3449 <cve name="2015-0286"/>
3450 <impact severity="Moderate"/>
3451 <affects base="0.9.8" version="0.9.8zd"/>
3452 <affects base="0.9.8" version="0.9.8ze"/>
3453 <affects base="1.0.0" version="1.0.0"/>
3454 <affects base="1.0.0" version="1.0.0a"/>
3455 <affects base="1.0.0" version="1.0.0b"/>
3456 <affects base="1.0.0" version="1.0.0c"/>
3457 <affects base="1.0.0" version="1.0.0d"/>
3458 <affects base="1.0.0" version="1.0.0e"/>
3459 <affects base="1.0.0" version="1.0.0f"/>
3460 <affects base="1.0.0" version="1.0.0g"/>
3461 <affects base="1.0.0" version="1.0.0i"/>
3462 <affects base="1.0.0" version="1.0.0j"/>
3463 <affects base="1.0.0" version="1.0.0k"/>
3464 <affects base="1.0.0" version="1.0.0l"/>
3465 <affects base="1.0.0" version="1.0.0m"/>
3466 <affects base="1.0.0" version="1.0.0n"/>
3467 <affects base="1.0.0" version="1.0.0o"/>
3468 <affects base="1.0.0" version="1.0.0p"/>
3469 <affects base="1.0.0" version="1.0.0q"/>
3470 <affects base="1.0.1" version="1.0.1"/>
3471 <affects base="1.0.1" version="1.0.1a"/>
3472 <affects base="1.0.1" version="1.0.1b"/>
3473 <affects base="1.0.1" version="1.0.1c"/>
3474 <affects base="1.0.1" version="1.0.1d"/>
3475 <affects base="1.0.1" version="1.0.1e"/>
3476 <affects base="1.0.1" version="1.0.1f"/>
3477 <affects base="1.0.1" version="1.0.1g"/>
3478 <affects base="1.0.1" version="1.0.1h"/>
3479 <affects base="1.0.1" version="1.0.1i"/>
3480 <affects base="1.0.1" version="1.0.1j"/>
3481 <affects base="1.0.1" version="1.0.1k"/>
3482 <affects base="1.0.1" version="1.0.1l"/>
3483 <affects base="1.0.2" version="1.0.2"/>
3484 <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
3485 <fixed base="1.0.1" version="1.0.1m" date="20150319"/>
3486 <fixed base="1.0.0" version="1.0.0r" date="20150319"/>
3487 <fixed base="0.9.8" version="0.9.8zf" date="20150319"/>
3490 Segmentation fault in ASN1_TYPE_cmp.
3491 The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is
3492 made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check
3493 certificate signature algorithm consistency this can be used to crash any
3494 certificate verification operation and exploited in a DoS attack. Any
3495 application which performs certificate verification is vulnerable including
3496 OpenSSL clients and servers which enable client authentication.
3498 <advisory url="/news/secadv/20150319.txt"/>
3499 <reported source="Stephen Henson (OpenSSL development team)"/>
3502 <issue public="20150319">
3503 <cve name="2015-0208"/>
3504 <impact severity="Moderate"/>
3505 <affects base="1.0.2" version="1.0.2"/>
3506 <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
3509 Segmentation fault for invalid PSS parameters.
3510 The signature verification routines will crash with a NULL pointer
3511 dereference if presented with an ASN.1 signature using the RSA PSS
3512 algorithm and invalid parameters. Since these routines are used to verify
3513 certificate signature algorithms this can be used to crash any
3514 certificate verification operation and exploited in a DoS attack. Any
3515 application which performs certificate verification is vulnerable including
3516 OpenSSL clients and servers which enable client authentication.
3518 <advisory url="/news/secadv/20150319.txt"/>
3519 <reported source="Brian Carpenter" date="20150131"/>
3522 <issue public="20150319">
3523 <cve name="2015-0287"/>
3524 <impact severity="Moderate"/>
3525 <affects base="0.9.8" version="0.9.8"/>
3526 <affects base="0.9.8" version="0.9.8a"/>
3527 <affects base="0.9.8" version="0.9.8b"/>
3528 <affects base="0.9.8" version="0.9.8c"/>
3529 <affects base="0.9.8" version="0.9.8d"/>
3530 <affects base="0.9.8" version="0.9.8e"/>
3531 <affects base="0.9.8" version="0.9.8f"/>
3532 <affects base="0.9.8" version="0.9.8g"/>
3533 <affects base="0.9.8" version="0.9.8h"/>
3534 <affects base="0.9.8" version="0.9.8i"/>
3535 <affects base="0.9.8" version="0.9.8j"/>
3536 <affects base="0.9.8" version="0.9.8k"/>
3537 <affects base="0.9.8" version="0.9.8l"/>
3538 <affects base="0.9.8" version="0.9.8m"/>
3539 <affects base="0.9.8" version="0.9.8n"/>
3540 <affects base="0.9.8" version="0.9.8o"/>
3541 <affects base="0.9.8" version="0.9.8p"/>
3542 <affects base="0.9.8" version="0.9.8q"/>
3543 <affects base="0.9.8" version="0.9.8r"/>
3544 <affects base="0.9.8" version="0.9.8s"/>
3545 <affects base="0.9.8" version="0.9.8t"/>
3546 <affects base="0.9.8" version="0.9.8u"/>
3547 <affects base="0.9.8" version="0.9.8v"/>
3548 <affects base="0.9.8" version="0.9.8w"/>
3549 <affects base="0.9.8" version="0.9.8x"/>
3550 <affects base="0.9.8" version="0.9.8y"/>
3551 <affects base="0.9.8" version="0.9.8za"/>
3552 <affects base="0.9.8" version="0.9.8zb"/>
3553 <affects base="0.9.8" version="0.9.8zc"/>
3554 <affects base="0.9.8" version="0.9.8zd"/>
3555 <affects base="0.9.8" version="0.9.8ze"/>
3556 <affects base="1.0.0" version="1.0.0"/>
3557 <affects base="1.0.0" version="1.0.0a"/>
3558 <affects base="1.0.0" version="1.0.0b"/>
3559 <affects base="1.0.0" version="1.0.0c"/>
3560 <affects base="1.0.0" version="1.0.0d"/>
3561 <affects base="1.0.0" version="1.0.0e"/>
3562 <affects base="1.0.0" version="1.0.0f"/>
3563 <affects base="1.0.0" version="1.0.0g"/>
3564 <affects base="1.0.0" version="1.0.0i"/>
3565 <affects base="1.0.0" version="1.0.0j"/>
3566 <affects base="1.0.0" version="1.0.0k"/>
3567 <affects base="1.0.0" version="1.0.0l"/>
3568 <affects base="1.0.0" version="1.0.0m"/>
3569 <affects base="1.0.0" version="1.0.0n"/>
3570 <affects base="1.0.0" version="1.0.0o"/>
3571 <affects base="1.0.0" version="1.0.0p"/>
3572 <affects base="1.0.0" version="1.0.0q"/>
3573 <affects base="1.0.1" version="1.0.1"/>
3574 <affects base="1.0.1" version="1.0.1a"/>
3575 <affects base="1.0.1" version="1.0.1b"/>
3576 <affects base="1.0.1" version="1.0.1c"/>
3577 <affects base="1.0.1" version="1.0.1d"/>
3578 <affects base="1.0.1" version="1.0.1e"/>
3579 <affects base="1.0.1" version="1.0.1f"/>
3580 <affects base="1.0.1" version="1.0.1g"/>
3581 <affects base="1.0.1" version="1.0.1h"/>
3582 <affects base="1.0.1" version="1.0.1i"/>
3583 <affects base="1.0.1" version="1.0.1j"/>
3584 <affects base="1.0.1" version="1.0.1k"/>
3585 <affects base="1.0.1" version="1.0.1l"/>
3586 <affects base="1.0.2" version="1.0.2"/>
3587 <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
3588 <fixed base="1.0.1" version="1.0.1m" date="20150319"/>
3589 <fixed base="1.0.0" version="1.0.0r" date="20150319"/>
3590 <fixed base="0.9.8" version="0.9.8zf" date="20150319"/>
3593 ASN.1 structure reuse memory corruption.
3594 Reusing a structure in ASN.1 parsing may allow an attacker to cause
3595 memory corruption via an invalid write. Such reuse is and has been
3596 strongly discouraged and is believed to be rare.
3598 <advisory url="/news/secadv/20150319.txt"/>
3599 <reported source="Emilia Käsper (OpenSSL development team)"/>
3602 <issue public="20150319">
3603 <cve name="2015-0289"/>
3604 <impact severity="Moderate"/>
3605 <affects base="0.9.8" version="0.9.8"/>
3606 <affects base="0.9.8" version="0.9.8a"/>
3607 <affects base="0.9.8" version="0.9.8b"/>
3608 <affects base="0.9.8" version="0.9.8c"/>
3609 <affects base="0.9.8" version="0.9.8d"/>
3610 <affects base="0.9.8" version="0.9.8e"/>
3611 <affects base="0.9.8" version="0.9.8f"/>
3612 <affects base="0.9.8" version="0.9.8g"/>
3613 <affects base="0.9.8" version="0.9.8h"/>
3614 <affects base="0.9.8" version="0.9.8i"/>
3615 <affects base="0.9.8" version="0.9.8j"/>
3616 <affects base="0.9.8" version="0.9.8k"/>
3617 <affects base="0.9.8" version="0.9.8l"/>
3618 <affects base="0.9.8" version="0.9.8m"/>
3619 <affects base="0.9.8" version="0.9.8n"/>
3620 <affects base="0.9.8" version="0.9.8o"/>
3621 <affects base="0.9.8" version="0.9.8p"/>
3622 <affects base="0.9.8" version="0.9.8q"/>
3623 <affects base="0.9.8" version="0.9.8r"/>
3624 <affects base="0.9.8" version="0.9.8s"/>
3625 <affects base="0.9.8" version="0.9.8t"/>
3626 <affects base="0.9.8" version="0.9.8u"/>
3627 <affects base="0.9.8" version="0.9.8v"/>
3628 <affects base="0.9.8" version="0.9.8w"/>
3629 <affects base="0.9.8" version="0.9.8x"/>
3630 <affects base="0.9.8" version="0.9.8y"/>
3631 <affects base="0.9.8" version="0.9.8za"/>
3632 <affects base="0.9.8" version="0.9.8zb"/>
3633 <affects base="0.9.8" version="0.9.8zc"/>
3634 <affects base="0.9.8" version="0.9.8zd"/>
3635 <affects base="0.9.8" version="0.9.8ze"/>
3636 <affects base="1.0.0" version="1.0.0"/>
3637 <affects base="1.0.0" version="1.0.0a"/>
3638 <affects base="1.0.0" version="1.0.0b"/>
3639 <affects base="1.0.0" version="1.0.0c"/>
3640 <affects base="1.0.0" version="1.0.0d"/>
3641 <affects base="1.0.0" version="1.0.0e"/>
3642 <affects base="1.0.0" version="1.0.0f"/>
3643 <affects base="1.0.0" version="1.0.0g"/>
3644 <affects base="1.0.0" version="1.0.0i"/>
3645 <affects base="1.0.0" version="1.0.0j"/>
3646 <affects base="1.0.0" version="1.0.0k"/>
3647 <affects base="1.0.0" version="1.0.0l"/>
3648 <affects base="1.0.0" version="1.0.0m"/>
3649 <affects base="1.0.0" version="1.0.0n"/>
3650 <affects base="1.0.0" version="1.0.0o"/>
3651 <affects base="1.0.0" version="1.0.0p"/>
3652 <affects base="1.0.0" version="1.0.0q"/>
3653 <affects base="1.0.1" version="1.0.1"/>
3654 <affects base="1.0.1" version="1.0.1a"/>
3655 <affects base="1.0.1" version="1.0.1b"/>
3656 <affects base="1.0.1" version="1.0.1c"/>
3657 <affects base="1.0.1" version="1.0.1d"/>
3658 <affects base="1.0.1" version="1.0.1e"/>
3659 <affects base="1.0.1" version="1.0.1f"/>
3660 <affects base="1.0.1" version="1.0.1g"/>
3661 <affects base="1.0.1" version="1.0.1h"/>
3662 <affects base="1.0.1" version="1.0.1i"/>
3663 <affects base="1.0.1" version="1.0.1j"/>
3664 <affects base="1.0.1" version="1.0.1k"/>
3665 <affects base="1.0.1" version="1.0.1l"/>
3666 <affects base="1.0.2" version="1.0.2"/>
3667 <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
3668 <fixed base="1.0.1" version="1.0.1m" date="20150319"/>
3669 <fixed base="1.0.0" version="1.0.0r" date="20150319"/>
3670 <fixed base="0.9.8" version="0.9.8zf" date="20150319"/>
3673 PKCS#7 NULL pointer dereference.
3674 The PKCS#7 parsing code does not handle missing outer ContentInfo correctly.
3675 An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
3676 missing content and trigger a NULL pointer dereference on parsing.
3677 Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or
3678 otherwise parse PKCS#7 structures from untrusted sources are
3679 affected. OpenSSL clients and servers are not affected.
3681 <advisory url="/news/secadv/20150319.txt"/>
3682 <reported source="Michal Zalewski (Google)" date="20150216"/>
3685 <issue public="20150319">
3686 <cve name="2015-0292"/>
3687 <impact severity="Moderate"/>
3688 <affects base="0.9.8" version="0.9.8"/>
3689 <affects base="0.9.8" version="0.9.8a"/>
3690 <affects base="0.9.8" version="0.9.8b"/>
3691 <affects base="0.9.8" version="0.9.8c"/>
3692 <affects base="0.9.8" version="0.9.8d"/>
3693 <affects base="0.9.8" version="0.9.8e"/>
3694 <affects base="0.9.8" version="0.9.8f"/>
3695 <affects base="0.9.8" version="0.9.8g"/>
3696 <affects base="0.9.8" version="0.9.8h"/>
3697 <affects base="0.9.8" version="0.9.8i"/>
3698 <affects base="0.9.8" version="0.9.8j"/>
3699 <affects base="0.9.8" version="0.9.8k"/>
3700 <affects base="0.9.8" version="0.9.8l"/>
3701 <affects base="0.9.8" version="0.9.8m"/>
3702 <affects base="0.9.8" version="0.9.8n"/>
3703 <affects base="0.9.8" version="0.9.8o"/>
3704 <affects base="0.9.8" version="0.9.8p"/>
3705 <affects base="0.9.8" version="0.9.8q"/>
3706 <affects base="0.9.8" version="0.9.8r"/>
3707 <affects base="0.9.8" version="0.9.8s"/>
3708 <affects base="0.9.8" version="0.9.8t"/>
3709 <affects base="0.9.8" version="0.9.8u"/>
3710 <affects base="0.9.8" version="0.9.8v"/>
3711 <affects base="0.9.8" version="0.9.8w"/>
3712 <affects base="0.9.8" version="0.9.8x"/>
3713 <affects base="0.9.8" version="0.9.8y"/>
3714 <affects base="1.0.0" version="1.0.0"/>
3715 <affects base="1.0.0" version="1.0.0a"/>
3716 <affects base="1.0.0" version="1.0.0b"/>
3717 <affects base="1.0.0" version="1.0.0c"/>
3718 <affects base="1.0.0" version="1.0.0d"/>
3719 <affects base="1.0.0" version="1.0.0e"/>
3720 <affects base="1.0.0" version="1.0.0f"/>
3721 <affects base="1.0.0" version="1.0.0g"/>
3722 <affects base="1.0.0" version="1.0.0i"/>
3723 <affects base="1.0.0" version="1.0.0j"/>
3724 <affects base="1.0.0" version="1.0.0k"/>
3725 <affects base="1.0.0" version="1.0.0l"/>
3726 <affects base="1.0.1" version="1.0.1"/>
3727 <affects base="1.0.1" version="1.0.1a"/>
3728 <affects base="1.0.1" version="1.0.1b"/>
3729 <affects base="1.0.1" version="1.0.1c"/>
3730 <affects base="1.0.1" version="1.0.1d"/>
3731 <affects base="1.0.1" version="1.0.1e"/>
3732 <affects base="1.0.1" version="1.0.1f"/>
3733 <affects base="1.0.1" version="1.0.1g"/>
3734 <fixed base="1.0.1" version="1.0.1h" date="20140605"/>
3735 <fixed base="1.0.0" version="1.0.0m" date="20140605"/>
3736 <fixed base="0.9.8" version="0.9.8za" date="20140605"/>
3739 A vulnerability existed in previous versions of OpenSSL related to the
3740 processing of base64 encoded data. Any code path that reads base64 data from an
3741 untrusted source could be affected (such as the PEM processing routines).
3742 Maliciously crafted base 64 data could trigger a segmenation fault or memory
3745 <advisory url="/news/secadv/20150319.txt"/>
3746 <reported source="Robert Dugal, also David Ramos, also Huzaifa Sidhpurwala (Red Hat)"/>
3749 <issue public="20150319">
3750 <cve name="2015-0293"/>
3751 <impact severity="Moderate"/>
3752 <affects base="0.9.8" version="0.9.8"/>
3753 <affects base="0.9.8" version="0.9.8a"/>
3754 <affects base="0.9.8" version="0.9.8b"/>
3755 <affects base="0.9.8" version="0.9.8c"/>
3756 <affects base="0.9.8" version="0.9.8d"/>
3757 <affects base="0.9.8" version="0.9.8e"/>
3758 <affects base="0.9.8" version="0.9.8f"/>
3759 <affects base="0.9.8" version="0.9.8g"/>
3760 <affects base="0.9.8" version="0.9.8h"/>
3761 <affects base="0.9.8" version="0.9.8i"/>
3762 <affects base="0.9.8" version="0.9.8j"/>
3763 <affects base="0.9.8" version="0.9.8k"/>
3764 <affects base="0.9.8" version="0.9.8l"/>
3765 <affects base="0.9.8" version="0.9.8m"/>
3766 <affects base="0.9.8" version="0.9.8n"/>
3767 <affects base="0.9.8" version="0.9.8o"/>
3768 <affects base="0.9.8" version="0.9.8p"/>
3769 <affects base="0.9.8" version="0.9.8q"/>
3770 <affects base="0.9.8" version="0.9.8r"/>
3771 <affects base="0.9.8" version="0.9.8s"/>
3772 <affects base="0.9.8" version="0.9.8t"/>
3773 <affects base="0.9.8" version="0.9.8u"/>
3774 <affects base="0.9.8" version="0.9.8v"/>
3775 <affects base="0.9.8" version="0.9.8w"/>
3776 <affects base="0.9.8" version="0.9.8x"/>
3777 <affects base="0.9.8" version="0.9.8y"/>
3778 <affects base="0.9.8" version="0.9.8za"/>
3779 <affects base="0.9.8" version="0.9.8zb"/>
3780 <affects base="0.9.8" version="0.9.8zc"/>
3781 <affects base="0.9.8" version="0.9.8zd"/>
3782 <affects base="0.9.8" version="0.9.8ze"/>
3783 <affects base="1.0.0" version="1.0.0"/>
3784 <affects base="1.0.0" version="1.0.0a"/>
3785 <affects base="1.0.0" version="1.0.0b"/>
3786 <affects base="1.0.0" version="1.0.0c"/>
3787 <affects base="1.0.0" version="1.0.0d"/>
3788 <affects base="1.0.0" version="1.0.0e"/>
3789 <affects base="1.0.0" version="1.0.0f"/>
3790 <affects base="1.0.0" version="1.0.0g"/>
3791 <affects base="1.0.0" version="1.0.0i"/>
3792 <affects base="1.0.0" version="1.0.0j"/>
3793 <affects base="1.0.0" version="1.0.0k"/>
3794 <affects base="1.0.0" version="1.0.0l"/>
3795 <affects base="1.0.0" version="1.0.0m"/>
3796 <affects base="1.0.0" version="1.0.0n"/>
3797 <affects base="1.0.0" version="1.0.0o"/>
3798 <affects base="1.0.0" version="1.0.0p"/>
3799 <affects base="1.0.0" version="1.0.0q"/>
3800 <affects base="1.0.1" version="1.0.1"/>
3801 <affects base="1.0.1" version="1.0.1a"/>
3802 <affects base="1.0.1" version="1.0.1b"/>
3803 <affects base="1.0.1" version="1.0.1c"/>
3804 <affects base="1.0.1" version="1.0.1d"/>
3805 <affects base="1.0.1" version="1.0.1e"/>
3806 <affects base="1.0.1" version="1.0.1f"/>
3807 <affects base="1.0.1" version="1.0.1g"/>
3808 <affects base="1.0.1" version="1.0.1h"/>
3809 <affects base="1.0.1" version="1.0.1i"/>
3810 <affects base="1.0.1" version="1.0.1j"/>
3811 <affects base="1.0.1" version="1.0.1k"/>
3812 <affects base="1.0.1" version="1.0.1l"/>
3813 <affects base="1.0.2" version="1.0.2"/>
3814 <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
3815 <fixed base="1.0.1" version="1.0.1m" date="20150319"/>
3816 <fixed base="1.0.0" version="1.0.0r" date="20150319"/>
3817 <fixed base="0.9.8" version="0.9.8zf" date="20150319"/>
3820 DoS via reachable assert in SSLv2 servers.
3821 A malicious client can trigger an OPENSSL_assert in
3822 servers that both support SSLv2 and enable export cipher suites by sending
3823 a specially crafted SSLv2 CLIENT-MASTER-KEY message.
3825 <advisory url="/news/secadv/20150319.txt"/>
3826 <reported source="Sean Burford (Google) and Emilia Käsper (OpenSSL development team)"/>
3829 <issue public="20150319">
3830 <impact severity="Moderate"/>
3831 <cve name="2015-1787"/>
3832 <affects base="1.0.2" version="1.0.2"/>
3833 <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
3836 Empty CKE with client auth and DHE.
3837 If client auth is used then a server can seg fault in the event of a DHE
3838 ciphersuite being selected and a zero length ClientKeyExchange message being
3839 sent by the client. This could be exploited in a DoS attack.
3841 <advisory url="/news/secadv/20150319.txt"/>
3842 <reported source="Matt Caswell (OpenSSL development team)"/>
3845 <issue public="20150310">
3846 <impact severity="Low"/>
3847 <cve name="2015-0285"/>
3848 <affects base="1.0.2" version="1.0.2"/>
3849 <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
3852 Under certain conditions an OpenSSL 1.0.2 client can complete a handshake with
3853 an unseeded PRNG. If the handshake succeeds then the client random that has been used will have
3854 been generated from a PRNG with insufficient entropy and therefore the output
3857 <advisory url="/news/secadv/20150319.txt"/>
3858 <reported source="Matt Caswell (OpenSSL development team)"/>
3861 <issue public="20150319">
3862 <impact severity="Low"/>
3863 <cve name="2015-0209"/>
3864 <affects base="0.9.8" version="0.9.8"/>
3865 <affects base="0.9.8" version="0.9.8a"/>
3866 <affects base="0.9.8" version="0.9.8b"/>
3867 <affects base="0.9.8" version="0.9.8c"/>
3868 <affects base="0.9.8" version="0.9.8d"/>
3869 <affects base="0.9.8" version="0.9.8e"/>
3870 <affects base="0.9.8" version="0.9.8f"/>
3871 <affects base="0.9.8" version="0.9.8g"/>
3872 <affects base="0.9.8" version="0.9.8h"/>
3873 <affects base="0.9.8" version="0.9.8i"/>
3874 <affects base="0.9.8" version="0.9.8j"/>
3875 <affects base="0.9.8" version="0.9.8k"/>
3876 <affects base="0.9.8" version="0.9.8l"/>
3877 <affects base="0.9.8" version="0.9.8m"/>
3878 <affects base="0.9.8" version="0.9.8n"/>
3879 <affects base="0.9.8" version="0.9.8o"/>
3880 <affects base="0.9.8" version="0.9.8p"/>
3881 <affects base="0.9.8" version="0.9.8q"/>
3882 <affects base="0.9.8" version="0.9.8r"/>
3883 <affects base="0.9.8" version="0.9.8s"/>
3884 <affects base="0.9.8" version="0.9.8t"/>
3885 <affects base="0.9.8" version="0.9.8u"/>
3886 <affects base="0.9.8" version="0.9.8v"/>
3887 <affects base="0.9.8" version="0.9.8w"/>
3888 <affects base="0.9.8" version="0.9.8x"/>
3889 <affects base="0.9.8" version="0.9.8y"/>
3890 <affects base="0.9.8" version="0.9.8za"/>
3891 <affects base="0.9.8" version="0.9.8zb"/>
3892 <affects base="0.9.8" version="0.9.8zc"/>
3893 <affects base="0.9.8" version="0.9.8zd"/>
3894 <affects base="0.9.8" version="0.9.8ze"/>
3895 <affects base="1.0.0" version="1.0.0"/>
3896 <affects base="1.0.0" version="1.0.0a"/>
3897 <affects base="1.0.0" version="1.0.0b"/>
3898 <affects base="1.0.0" version="1.0.0c"/>
3899 <affects base="1.0.0" version="1.0.0d"/>
3900 <affects base="1.0.0" version="1.0.0e"/>
3901 <affects base="1.0.0" version="1.0.0f"/>
3902 <affects base="1.0.0" version="1.0.0g"/>
3903 <affects base="1.0.0" version="1.0.0i"/>
3904 <affects base="1.0.0" version="1.0.0j"/>
3905 <affects base="1.0.0" version="1.0.0k"/>
3906 <affects base="1.0.0" version="1.0.0l"/>
3907 <affects base="1.0.0" version="1.0.0m"/>
3908 <affects base="1.0.0" version="1.0.0n"/>
3909 <affects base="1.0.0" version="1.0.0o"/>
3910 <affects base="1.0.0" version="1.0.0p"/>
3911 <affects base="1.0.0" version="1.0.0q"/>
3912 <affects base="1.0.1" version="1.0.1"/>
3913 <affects base="1.0.1" version="1.0.1a"/>
3914 <affects base="1.0.1" version="1.0.1b"/>
3915 <affects base="1.0.1" version="1.0.1c"/>
3916 <affects base="1.0.1" version="1.0.1d"/>
3917 <affects base="1.0.1" version="1.0.1e"/>
3918 <affects base="1.0.1" version="1.0.1f"/>
3919 <affects base="1.0.1" version="1.0.1g"/>
3920 <affects base="1.0.1" version="1.0.1h"/>
3921 <affects base="1.0.1" version="1.0.1i"/>
3922 <affects base="1.0.1" version="1.0.1j"/>
3923 <affects base="1.0.1" version="1.0.1k"/>
3924 <affects base="1.0.1" version="1.0.1l"/>
3925 <affects base="1.0.2" version="1.0.2"/>
3926 <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
3927 <fixed base="1.0.1" version="1.0.1m" date="20150319"/>
3928 <fixed base="1.0.0" version="1.0.0r" date="20150319"/>
3929 <fixed base="0.9.8" version="0.9.8zf" date="20150319"/>
3932 Use After Free following d2i_ECPrivatekey error.
3933 A malformed EC private key file consumed via the d2i_ECPrivateKey function could
3934 cause a use after free condition. This, in turn, could cause a double
3935 free in several private key parsing functions (such as d2i_PrivateKey
3936 or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
3937 for applications that receive EC private keys from untrusted
3938 sources. This scenario is considered rare.
3940 <advisory url="/news/secadv/20150319.txt"/>
3941 <reported source="The BoringSSL project"/>
3944 <issue public="20150302">
3945 <cve name="2015-0288"/>
3946 <impact severity="Low"/>
3947 <affects base="0.9.8" version="0.9.8"/>
3948 <affects base="0.9.8" version="0.9.8a"/>
3949 <affects base="0.9.8" version="0.9.8b"/>
3950 <affects base="0.9.8" version="0.9.8c"/>
3951 <affects base="0.9.8" version="0.9.8d"/>
3952 <affects base="0.9.8" version="0.9.8e"/>
3953 <affects base="0.9.8" version="0.9.8f"/>
3954 <affects base="0.9.8" version="0.9.8g"/>
3955 <affects base="0.9.8" version="0.9.8h"/>
3956 <affects base="0.9.8" version="0.9.8i"/>
3957 <affects base="0.9.8" version="0.9.8j"/>
3958 <affects base="0.9.8" version="0.9.8k"/>
3959 <affects base="0.9.8" version="0.9.8l"/>
3960 <affects base="0.9.8" version="0.9.8m"/>
3961 <affects base="0.9.8" version="0.9.8n"/>
3962 <affects base="0.9.8" version="0.9.8o"/>
3963 <affects base="0.9.8" version="0.9.8p"/>
3964 <affects base="0.9.8" version="0.9.8q"/>
3965 <affects base="0.9.8" version="0.9.8r"/>
3966 <affects base="0.9.8" version="0.9.8s"/>
3967 <affects base="0.9.8" version="0.9.8t"/>
3968 <affects base="0.9.8" version="0.9.8u"/>
3969 <affects base="0.9.8" version="0.9.8v"/>
3970 <affects base="0.9.8" version="0.9.8w"/>
3971 <affects base="0.9.8" version="0.9.8x"/>
3972 <affects base="0.9.8" version="0.9.8y"/>
3973 <affects base="0.9.8" version="0.9.8za"/>
3974 <affects base="0.9.8" version="0.9.8zb"/>
3975 <affects base="0.9.8" version="0.9.8zc"/>
3976 <affects base="0.9.8" version="0.9.8zd"/>
3977 <affects base="0.9.8" version="0.9.8ze"/>
3978 <affects base="1.0.0" version="1.0.0"/>
3979 <affects base="1.0.0" version="1.0.0a"/>
3980 <affects base="1.0.0" version="1.0.0b"/>
3981 <affects base="1.0.0" version="1.0.0c"/>
3982 <affects base="1.0.0" version="1.0.0d"/>
3983 <affects base="1.0.0" version="1.0.0e"/>
3984 <affects base="1.0.0" version="1.0.0f"/>
3985 <affects base="1.0.0" version="1.0.0g"/>
3986 <affects base="1.0.0" version="1.0.0i"/>
3987 <affects base="1.0.0" version="1.0.0j"/>
3988 <affects base="1.0.0" version="1.0.0k"/>
3989 <affects base="1.0.0" version="1.0.0l"/>
3990 <affects base="1.0.0" version="1.0.0m"/>
3991 <affects base="1.0.0" version="1.0.0n"/>
3992 <affects base="1.0.0" version="1.0.0o"/>
3993 <affects base="1.0.0" version="1.0.0p"/>
3994 <affects base="1.0.0" version="1.0.0q"/>
3995 <affects base="1.0.1" version="1.0.1"/>
3996 <affects base="1.0.1" version="1.0.1a"/>
3997 <affects base="1.0.1" version="1.0.1b"/>
3998 <affects base="1.0.1" version="1.0.1c"/>
3999 <affects base="1.0.1" version="1.0.1d"/>
4000 <affects base="1.0.1" version="1.0.1e"/>
4001 <affects base="1.0.1" version="1.0.1f"/>
4002 <affects base="1.0.1" version="1.0.1g"/>
4003 <affects base="1.0.1" version="1.0.1h"/>
4004 <affects base="1.0.1" version="1.0.1i"/>
4005 <affects base="1.0.1" version="1.0.1j"/>
4006 <affects base="1.0.1" version="1.0.1k"/>
4007 <affects base="1.0.1" version="1.0.1l"/>
4008 <affects base="1.0.2" version="1.0.2"/>
4009 <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
4010 <fixed base="1.0.1" version="1.0.1m" date="20150319"/>
4011 <fixed base="1.0.0" version="1.0.0r" date="20150319"/>
4012 <fixed base="0.9.8" version="0.9.8zf" date="20150319"/>
4015 X509_to_X509_REQ NULL pointer deref.
4016 The function X509_to_X509_REQ will crash with a NULL pointer dereference if
4017 the certificate key is invalid. This function is rarely used in practice.
4019 <advisory url="/news/secadv/20150319.txt"/>
4020 <reported source="Brian Carpenter"/>
4023 <issue public="20150108">
4024 <cve name="2015-0206"/>
4025 <impact severity="Moderate"/>
4026 <affects base="1.0.0" version="1.0.0"/>
4027 <affects base="1.0.0" version="1.0.0a"/>
4028 <affects base="1.0.0" version="1.0.0b"/>
4029 <affects base="1.0.0" version="1.0.0c"/>
4030 <affects base="1.0.0" version="1.0.0d"/>
4031 <affects base="1.0.0" version="1.0.0e"/>
4032 <affects base="1.0.0" version="1.0.0f"/>
4033 <affects base="1.0.0" version="1.0.0g"/>
4034 <affects base="1.0.0" version="1.0.0i"/>
4035 <affects base="1.0.0" version="1.0.0j"/>
4036 <affects base="1.0.0" version="1.0.0k"/>
4037 <affects base="1.0.0" version="1.0.0l"/>
4038 <affects base="1.0.0" version="1.0.0m"/>
4039 <affects base="1.0.0" version="1.0.0n"/>
4040 <affects base="1.0.0" version="1.0.0o"/>
4041 <affects base="1.0.1" version="1.0.1"/>
4042 <affects base="1.0.1" version="1.0.1a"/>
4043 <affects base="1.0.1" version="1.0.1b"/>
4044 <affects base="1.0.1" version="1.0.1c"/>
4045 <affects base="1.0.1" version="1.0.1d"/>
4046 <affects base="1.0.1" version="1.0.1e"/>
4047 <affects base="1.0.1" version="1.0.1f"/>
4048 <affects base="1.0.1" version="1.0.1g"/>
4049 <affects base="1.0.1" version="1.0.1h"/>
4050 <affects base="1.0.1" version="1.0.1i"/>
4051 <affects base="1.0.1" version="1.0.1j"/>
4052 <fixed base="1.0.1" version="1.0.1k" date="20150108"/>
4053 <fixed base="1.0.0" version="1.0.0p" date="20150108"/>
4056 A memory leak can occur in the dtls1_buffer_record function under certain
4057 conditions. In particular this could occur if an attacker sent repeated
4058 DTLS records with the same sequence number but for the next epoch. The
4059 memory leak could be exploited by an attacker in a Denial of Service
4060 attack through memory exhaustion.
4062 <advisory url="/news/secadv/20150108.txt"/>
4063 <reported source="Chris Mueller"/>
4066 <issue public="20141021">
4067 <cve name="2014-3569"/>
4068 <impact severity="Low"/>
4069 <affects base="0.9.8" version="0.9.8zc"/>
4070 <affects base="1.0.0" version="1.0.0o"/>
4071 <affects base="1.0.1" version="1.0.1j"/>
4072 <fixed base="1.0.1" version="1.0.1k" date="20150108"/>
4073 <fixed base="1.0.0" version="1.0.0p" date="20150108"/>
4074 <fixed base="0.9.8" version="0.9.8zd" date="20150108"/>
4077 When openssl is built with the no-ssl3 option and a SSL v3 ClientHello is
4078 received the ssl method would be set to NULL which could later result in
4079 a NULL pointer dereference.
4081 <advisory url="/news/secadv/20150108.txt"/>
4082 <reported source="Frank Schmirler"/>
4085 <issue public="20150105">
4086 <cve name="2014-3572"/>
4087 <impact severity="Low"/>
4088 <affects base="0.9.8" version="0.9.8"/>
4089 <affects base="0.9.8" version="0.9.8a"/>
4090 <affects base="0.9.8" version="0.9.8b"/>
4091 <affects base="0.9.8" version="0.9.8c"/>
4092 <affects base="0.9.8" version="0.9.8d"/>
4093 <affects base="0.9.8" version="0.9.8e"/>
4094 <affects base="0.9.8" version="0.9.8f"/>
4095 <affects base="0.9.8" version="0.9.8g"/>
4096 <affects base="0.9.8" version="0.9.8h"/>
4097 <affects base="0.9.8" version="0.9.8i"/>
4098 <affects base="0.9.8" version="0.9.8j"/>
4099 <affects base="0.9.8" version="0.9.8k"/>
4100 <affects base="0.9.8" version="0.9.8l"/>
4101 <affects base="0.9.8" version="0.9.8m"/>
4102 <affects base="0.9.8" version="0.9.8n"/>
4103 <affects base="0.9.8" version="0.9.8o"/>
4104 <affects base="0.9.8" version="0.9.8p"/>
4105 <affects base="0.9.8" version="0.9.8q"/>
4106 <affects base="0.9.8" version="0.9.8r"/>
4107 <affects base="0.9.8" version="0.9.8s"/>
4108 <affects base="0.9.8" version="0.9.8t"/>
4109 <affects base="0.9.8" version="0.9.8u"/>
4110 <affects base="0.9.8" version="0.9.8v"/>
4111 <affects base="0.9.8" version="0.9.8w"/>
4112 <affects base="0.9.8" version="0.9.8x"/>
4113 <affects base="0.9.8" version="0.9.8y"/>
4114 <affects base="0.9.8" version="0.9.8za"/>
4115 <affects base="0.9.8" version="0.9.8zb"/>
4116 <affects base="0.9.8" version="0.9.8zc"/>
4117 <affects base="1.0.0" version="1.0.0"/>
4118 <affects base="1.0.0" version="1.0.0a"/>
4119 <affects base="1.0.0" version="1.0.0b"/>
4120 <affects base="1.0.0" version="1.0.0c"/>
4121 <affects base="1.0.0" version="1.0.0d"/>
4122 <affects base="1.0.0" version="1.0.0e"/>
4123 <affects base="1.0.0" version="1.0.0f"/>
4124 <affects base="1.0.0" version="1.0.0g"/>
4125 <affects base="1.0.0" version="1.0.0i"/>
4126 <affects base="1.0.0" version="1.0.0j"/>
4127 <affects base="1.0.0" version="1.0.0k"/>
4128 <affects base="1.0.0" version="1.0.0l"/>
4129 <affects base="1.0.0" version="1.0.0m"/>
4130 <affects base="1.0.0" version="1.0.0n"/>
4131 <affects base="1.0.0" version="1.0.0o"/>
4132 <affects base="1.0.1" version="1.0.1"/>
4133 <affects base="1.0.1" version="1.0.1a"/>
4134 <affects base="1.0.1" version="1.0.1b"/>
4135 <affects base="1.0.1" version="1.0.1c"/>
4136 <affects base="1.0.1" version="1.0.1d"/>
4137 <affects base="1.0.1" version="1.0.1e"/>
4138 <affects base="1.0.1" version="1.0.1f"/>
4139 <affects base="1.0.1" version="1.0.1g"/>
4140 <affects base="1.0.1" version="1.0.1h"/>
4141 <affects base="1.0.1" version="1.0.1i"/>
4142 <affects base="1.0.1" version="1.0.1j"/>
4143 <fixed base="1.0.1" version="1.0.1k" date="20150108"/>
4144 <fixed base="1.0.0" version="1.0.0p" date="20150108"/>
4145 <fixed base="0.9.8" version="0.9.8zd" date="20150108"/>
4148 An OpenSSL client will accept a handshake using an ephemeral ECDH
4149 ciphersuite using an ECDSA certificate if the server key exchange message
4150 is omitted. This effectively removes forward secrecy from the ciphersuite.
4152 <advisory url="/news/secadv/20150108.txt"/>
4153 <reported source="Karthikeyan Bhargavan of the PROSECCO team at INRIA"/>
4156 <issue public="20150105">
4157 <cve name="2014-3571"/>
4158 <impact severity="Moderate"/>
4159 <affects base="0.9.8" version="0.9.8"/>
4160 <affects base="0.9.8" version="0.9.8a"/>
4161 <affects base="0.9.8" version="0.9.8b"/>
4162 <affects base="0.9.8" version="0.9.8c"/>
4163 <affects base="0.9.8" version="0.9.8d"/>
4164 <affects base="0.9.8" version="0.9.8e"/>
4165 <affects base="0.9.8" version="0.9.8f"/>
4166 <affects base="0.9.8" version="0.9.8g"/>
4167 <affects base="0.9.8" version="0.9.8h"/>
4168 <affects base="0.9.8" version="0.9.8i"/>
4169 <affects base="0.9.8" version="0.9.8j"/>
4170 <affects base="0.9.8" version="0.9.8k"/>
4171 <affects base="0.9.8" version="0.9.8l"/>
4172 <affects base="0.9.8" version="0.9.8m"/>
4173 <affects base="0.9.8" version="0.9.8n"/>
4174 <affects base="0.9.8" version="0.9.8o"/>
4175 <affects base="0.9.8" version="0.9.8p"/>
4176 <affects base="0.9.8" version="0.9.8q"/>
4177 <affects base="0.9.8" version="0.9.8r"/>
4178 <affects base="0.9.8" version="0.9.8s"/>
4179 <affects base="0.9.8" version="0.9.8t"/>
4180 <affects base="0.9.8" version="0.9.8u"/>
4181 <affects base="0.9.8" version="0.9.8v"/>
4182 <affects base="0.9.8" version="0.9.8w"/>
4183 <affects base="0.9.8" version="0.9.8x"/>
4184 <affects base="0.9.8" version="0.9.8y"/>
4185 <affects base="0.9.8" version="0.9.8za"/>
4186 <affects base="0.9.8" version="0.9.8zb"/>
4187 <affects base="0.9.8" version="0.9.8zc"/>
4188 <affects base="1.0.0" version="1.0.0"/>
4189 <affects base="1.0.0" version="1.0.0a"/>
4190 <affects base="1.0.0" version="1.0.0b"/>
4191 <affects base="1.0.0" version="1.0.0c"/>
4192 <affects base="1.0.0" version="1.0.0d"/>
4193 <affects base="1.0.0" version="1.0.0e"/>
4194 <affects base="1.0.0" version="1.0.0f"/>
4195 <affects base="1.0.0" version="1.0.0g"/>
4196 <affects base="1.0.0" version="1.0.0i"/>
4197 <affects base="1.0.0" version="1.0.0j"/>
4198 <affects base="1.0.0" version="1.0.0k"/>
4199 <affects base="1.0.0" version="1.0.0l"/>
4200 <affects base="1.0.0" version="1.0.0m"/>
4201 <affects base="1.0.0" version="1.0.0n"/>
4202 <affects base="1.0.0" version="1.0.0o"/>
4203 <affects base="1.0.1" version="1.0.1"/>
4204 <affects base="1.0.1" version="1.0.1a"/>
4205 <affects base="1.0.1" version="1.0.1b"/>
4206 <affects base="1.0.1" version="1.0.1c"/>
4207 <affects base="1.0.1" version="1.0.1d"/>
4208 <affects base="1.0.1" version="1.0.1e"/>
4209 <affects base="1.0.1" version="1.0.1f"/>
4210 <affects base="1.0.1" version="1.0.1g"/>
4211 <affects base="1.0.1" version="1.0.1h"/>
4212 <affects base="1.0.1" version="1.0.1i"/>
4213 <affects base="1.0.1" version="1.0.1j"/>
4214 <fixed base="1.0.1" version="1.0.1k" date="20150108"/>
4215 <fixed base="1.0.0" version="1.0.0p" date="20150108"/>
4216 <fixed base="0.9.8" version="0.9.8zd" date="20150108"/>
4219 A carefully crafted DTLS message can cause a segmentation fault in OpenSSL due
4220 to a NULL pointer dereference. This could lead to a Denial Of Service attack.
4222 <advisory url="/news/secadv/20150108.txt"/>
4223 <reported source="Markus Stenberg of Cisco Systems, Inc"/>
4226 <issue public="20150106">
4227 <cve name="2015-0204"/>
4228 <impact severity="Low"/>
4229 <affects base="0.9.8" version="0.9.8"/>
4230 <affects base="0.9.8" version="0.9.8a"/>
4231 <affects base="0.9.8" version="0.9.8b"/>
4232 <affects base="0.9.8" version="0.9.8c"/>
4233 <affects base="0.9.8" version="0.9.8d"/>
4234 <affects base="0.9.8" version="0.9.8e"/>
4235 <affects base="0.9.8" version="0.9.8f"/>
4236 <affects base="0.9.8" version="0.9.8g"/>
4237 <affects base="0.9.8" version="0.9.8h"/>
4238 <affects base="0.9.8" version="0.9.8i"/>
4239 <affects base="0.9.8" version="0.9.8j"/>
4240 <affects base="0.9.8" version="0.9.8k"/>
4241 <affects base="0.9.8" version="0.9.8l"/>
4242 <affects base="0.9.8" version="0.9.8m"/>
4243 <affects base="0.9.8" version="0.9.8n"/>
4244 <affects base="0.9.8" version="0.9.8o"/>
4245 <affects base="0.9.8" version="0.9.8p"/>
4246 <affects base="0.9.8" version="0.9.8q"/>
4247 <affects base="0.9.8" version="0.9.8r"/>
4248 <affects base="0.9.8" version="0.9.8s"/>
4249 <affects base="0.9.8" version="0.9.8t"/>
4250 <affects base="0.9.8" version="0.9.8u"/>
4251 <affects base="0.9.8" version="0.9.8v"/>
4252 <affects base="0.9.8" version="0.9.8w"/>
4253 <affects base="0.9.8" version="0.9.8x"/>
4254 <affects base="0.9.8" version="0.9.8y"/>
4255 <affects base="0.9.8" version="0.9.8za"/>
4256 <affects base="0.9.8" version="0.9.8zb"/>
4257 <affects base="0.9.8" version="0.9.8zc"/>
4258 <affects base="1.0.0" version="1.0.0"/>
4259 <affects base="1.0.0" version="1.0.0a"/>
4260 <affects base="1.0.0" version="1.0.0b"/>
4261 <affects base="1.0.0" version="1.0.0c"/>
4262 <affects base="1.0.0" version="1.0.0d"/>
4263 <affects base="1.0.0" version="1.0.0e"/>
4264 <affects base="1.0.0" version="1.0.0f"/>
4265 <affects base="1.0.0" version="1.0.0g"/>
4266 <affects base="1.0.0" version="1.0.0i"/>
4267 <affects base="1.0.0" version="1.0.0j"/>
4268 <affects base="1.0.0" version="1.0.0k"/>
4269 <affects base="1.0.0" version="1.0.0l"/>
4270 <affects base="1.0.0" version="1.0.0m"/>
4271 <affects base="1.0.0" version="1.0.0n"/>
4272 <affects base="1.0.0" version="1.0.0o"/>
4273 <affects base="1.0.1" version="1.0.1"/>
4274 <affects base="1.0.1" version="1.0.1a"/>
4275 <affects base="1.0.1" version="1.0.1b"/>
4276 <affects base="1.0.1" version="1.0.1c"/>
4277 <affects base="1.0.1" version="1.0.1d"/>
4278 <affects base="1.0.1" version="1.0.1e"/>
4279 <affects base="1.0.1" version="1.0.1f"/>
4280 <affects base="1.0.1" version="1.0.1g"/>
4281 <affects base="1.0.1" version="1.0.1h"/>
4282 <affects base="1.0.1" version="1.0.1i"/>
4283 <affects base="1.0.1" version="1.0.1j"/>
4284 <fixed base="1.0.1" version="1.0.1k" date="20150108"/>
4285 <fixed base="1.0.0" version="1.0.0p" date="20150108"/>
4286 <fixed base="0.9.8" version="0.9.8zd" date="20150108"/>
4289 An OpenSSL client will accept the use of an RSA temporary key in a
4290 non-export RSA key exchange ciphersuite. A server could present a weak
4291 temporary key and downgrade the security of the session.
4293 <advisory url="/news/secadv/20150108.txt"/>
4294 <reported source="Karthikeyan Bhargavan of the PROSECCO team at INRIA"/>
4297 <issue public="20150108">
4298 <cve name="2015-0205"/>
4299 <impact severity="Low"/>
4300 <affects base="1.0.0" version="1.0.0"/>
4301 <affects base="1.0.0" version="1.0.0a"/>
4302 <affects base="1.0.0" version="1.0.0b"/>
4303 <affects base="1.0.0" version="1.0.0c"/>
4304 <affects base="1.0.0" version="1.0.0d"/>
4305 <affects base="1.0.0" version="1.0.0e"/>
4306 <affects base="1.0.0" version="1.0.0f"/>
4307 <affects base="1.0.0" version="1.0.0g"/>
4308 <affects base="1.0.0" version="1.0.0i"/>
4309 <affects base="1.0.0" version="1.0.0j"/>
4310 <affects base="1.0.0" version="1.0.0k"/>
4311 <affects base="1.0.0" version="1.0.0l"/>
4312 <affects base="1.0.0" version="1.0.0m"/>
4313 <affects base="1.0.0" version="1.0.0n"/>
4314 <affects base="1.0.0" version="1.0.0o"/>
4315 <affects base="1.0.1" version="1.0.1"/>
4316 <affects base="1.0.1" version="1.0.1a"/>
4317 <affects base="1.0.1" version="1.0.1b"/>
4318 <affects base="1.0.1" version="1.0.1c"/>
4319 <affects base="1.0.1" version="1.0.1d"/>
4320 <affects base="1.0.1" version="1.0.1e"/>
4321 <affects base="1.0.1" version="1.0.1f"/>
4322 <affects base="1.0.1" version="1.0.1g"/>
4323 <affects base="1.0.1" version="1.0.1h"/>
4324 <affects base="1.0.1" version="1.0.1i"/>
4325 <affects base="1.0.1" version="1.0.1j"/>
4326 <fixed base="1.0.1" version="1.0.1k" date="20150108"/>
4327 <fixed base="1.0.0" version="1.0.0p" date="20150108"/>
4330 An OpenSSL server will accept a DH certificate for client authentication
4331 without the certificate verify message. This effectively allows a client
4332 to authenticate without the use of a private key. This only affects
4333 servers which trust a client certificate authority which issues
4334 certificates containing DH keys: these are extremely rare and hardly ever
4337 <advisory url="/news/secadv/20150108.txt"/>
4338 <reported source="Karthikeyan Bhargavan of the PROSECCO team at INRIA"/>
4341 <issue public="20150105">
4342 <cve name="2014-8275"/>
4343 <impact severity="Low"/>
4344 <affects base="0.9.8" version="0.9.8"/>
4345 <affects base="0.9.8" version="0.9.8a"/>
4346 <affects base="0.9.8" version="0.9.8b"/>
4347 <affects base="0.9.8" version="0.9.8c"/>
4348 <affects base="0.9.8" version="0.9.8d"/>
4349 <affects base="0.9.8" version="0.9.8e"/>
4350 <affects base="0.9.8" version="0.9.8f"/>
4351 <affects base="0.9.8" version="0.9.8g"/>
4352 <affects base="0.9.8" version="0.9.8h"/>
4353 <affects base="0.9.8" version="0.9.8i"/>
4354 <affects base="0.9.8" version="0.9.8j"/>
4355 <affects base="0.9.8" version="0.9.8k"/>
4356 <affects base="0.9.8" version="0.9.8l"/>
4357 <affects base="0.9.8" version="0.9.8m"/>
4358 <affects base="0.9.8" version="0.9.8n"/>
4359 <affects base="0.9.8" version="0.9.8o"/>
4360 <affects base="0.9.8" version="0.9.8p"/>
4361 <affects base="0.9.8" version="0.9.8q"/>
4362 <affects base="0.9.8" version="0.9.8r"/>
4363 <affects base="0.9.8" version="0.9.8s"/>
4364 <affects base="0.9.8" version="0.9.8t"/>
4365 <affects base="0.9.8" version="0.9.8u"/>
4366 <affects base="0.9.8" version="0.9.8v"/>
4367 <affects base="0.9.8" version="0.9.8w"/>
4368 <affects base="0.9.8" version="0.9.8x"/>
4369 <affects base="0.9.8" version="0.9.8y"/>
4370 <affects base="0.9.8" version="0.9.8za"/>
4371 <affects base="0.9.8" version="0.9.8zb"/>
4372 <affects base="0.9.8" version="0.9.8zc"/>
4373 <affects base="1.0.0" version="1.0.0"/>
4374 <affects base="1.0.0" version="1.0.0a"/>
4375 <affects base="1.0.0" version="1.0.0b"/>
4376 <affects base="1.0.0" version="1.0.0c"/>
4377 <affects base="1.0.0" version="1.0.0d"/>
4378 <affects base="1.0.0" version="1.0.0e"/>
4379 <affects base="1.0.0" version="1.0.0f"/>
4380 <affects base="1.0.0" version="1.0.0g"/>
4381 <affects base="1.0.0" version="1.0.0i"/>
4382 <affects base="1.0.0" version="1.0.0j"/>
4383 <affects base="1.0.0" version="1.0.0k"/>
4384 <affects base="1.0.0" version="1.0.0l"/>
4385 <affects base="1.0.0" version="1.0.0m"/>
4386 <affects base="1.0.0" version="1.0.0n"/>
4387 <affects base="1.0.0" version="1.0.0o"/>
4388 <affects base="1.0.1" version="1.0.1"/>
4389 <affects base="1.0.1" version="1.0.1a"/>
4390 <affects base="1.0.1" version="1.0.1b"/>
4391 <affects base="1.0.1" version="1.0.1c"/>
4392 <affects base="1.0.1" version="1.0.1d"/>
4393 <affects base="1.0.1" version="1.0.1e"/>
4394 <affects base="1.0.1" version="1.0.1f"/>
4395 <affects base="1.0.1" version="1.0.1g"/>
4396 <affects base="1.0.1" version="1.0.1h"/>
4397 <affects base="1.0.1" version="1.0.1i"/>
4398 <affects base="1.0.1" version="1.0.1j"/>
4399 <fixed base="1.0.1" version="1.0.1k" date="20150108"/>
4400 <fixed base="1.0.0" version="1.0.0p" date="20150108"/>
4401 <fixed base="0.9.8" version="0.9.8zd" date="20150108"/>
4404 OpenSSL accepts several non-DER-variations of certificate signature
4405 algorithm and signature encodings. OpenSSL also does not enforce a
4406 match between the signature algorithm between the signed and unsigned
4407 portions of the certificate. By modifying the contents of the
4408 signature algorithm or the encoding of the signature, it is possible
4409 to change the certificate's fingerprint.
4411 This does not allow an attacker to forge certificates, and does not
4412 affect certificate verification or OpenSSL servers/clients in any other
4413 way. It also does not affect common revocation mechanisms. Only custom
4414 applications that rely on the uniqueness of the fingerprint (e.g.
4415 certificate blacklists) may be affected.
4417 <advisory url="/news/secadv/20150108.txt"/>
4418 <reported source="Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS program/Konrad Kraszewski from Google"/>
4421 <issue public="20150108">
4422 <cve name="2014-3570"/>
4423 <impact severity="Low"/>
4424 <affects base="0.9.8" version="0.9.8"/>
4425 <affects base="0.9.8" version="0.9.8a"/>
4426 <affects base="0.9.8" version="0.9.8b"/>
4427 <affects base="0.9.8" version="0.9.8c"/>
4428 <affects base="0.9.8" version="0.9.8d"/>
4429 <affects base="0.9.8" version="0.9.8e"/>
4430 <affects base="0.9.8" version="0.9.8f"/>
4431 <affects base="0.9.8" version="0.9.8g"/>
4432 <affects base="0.9.8" version="0.9.8h"/>
4433 <affects base="0.9.8" version="0.9.8i"/>
4434 <affects base="0.9.8" version="0.9.8j"/>
4435 <affects base="0.9.8" version="0.9.8k"/>
4436 <affects base="0.9.8" version="0.9.8l"/>
4437 <affects base="0.9.8" version="0.9.8m"/>
4438 <affects base="0.9.8" version="0.9.8n"/>
4439 <affects base="0.9.8" version="0.9.8o"/>
4440 <affects base="0.9.8" version="0.9.8p"/>
4441 <affects base="0.9.8" version="0.9.8q"/>
4442 <affects base="0.9.8" version="0.9.8r"/>
4443 <affects base="0.9.8" version="0.9.8s"/>
4444 <affects base="0.9.8" version="0.9.8t"/>
4445 <affects base="0.9.8" version="0.9.8u"/>
4446 <affects base="0.9.8" version="0.9.8v"/>
4447 <affects base="0.9.8" version="0.9.8w"/>
4448 <affects base="0.9.8" version="0.9.8x"/>
4449 <affects base="0.9.8" version="0.9.8y"/>
4450 <affects base="0.9.8" version="0.9.8za"/>
4451 <affects base="0.9.8" version="0.9.8zb"/>
4452 <affects base="0.9.8" version="0.9.8zc"/>
4453 <affects base="1.0.0" version="1.0.0"/>
4454 <affects base="1.0.0" version="1.0.0a"/>
4455 <affects base="1.0.0" version="1.0.0b"/>
4456 <affects base="1.0.0" version="1.0.0c"/>
4457 <affects base="1.0.0" version="1.0.0d"/>
4458 <affects base="1.0.0" version="1.0.0e"/>
4459 <affects base="1.0.0" version="1.0.0f"/>
4460 <affects base="1.0.0" version="1.0.0g"/>
4461 <affects base="1.0.0" version="1.0.0i"/>
4462 <affects base="1.0.0" version="1.0.0j"/>
4463 <affects base="1.0.0" version="1.0.0k"/>
4464 <affects base="1.0.0" version="1.0.0l"/>
4465 <affects base="1.0.0" version="1.0.0m"/>
4466 <affects base="1.0.0" version="1.0.0n"/>
4467 <affects base="1.0.0" version="1.0.0o"/>
4468 <affects base="1.0.1" version="1.0.1"/>
4469 <affects base="1.0.1" version="1.0.1a"/>
4470 <affects base="1.0.1" version="1.0.1b"/>
4471 <affects base="1.0.1" version="1.0.1c"/>
4472 <affects base="1.0.1" version="1.0.1d"/>
4473 <affects base="1.0.1" version="1.0.1e"/>
4474 <affects base="1.0.1" version="1.0.1f"/>
4475 <affects base="1.0.1" version="1.0.1g"/>
4476 <affects base="1.0.1" version="1.0.1h"/>
4477 <affects base="1.0.1" version="1.0.1i"/>
4478 <affects base="1.0.1" version="1.0.1j"/>
4479 <fixed base="1.0.1" version="1.0.1k" date="20150108"/>
4480 <fixed base="1.0.0" version="1.0.0p" date="20150108"/>
4481 <fixed base="0.9.8" version="0.9.8zd" date="20150108"/>
4484 Bignum squaring (BN_sqr) may produce incorrect results on some platforms,
4485 including x86_64. This bug occurs at random with a very low probability,
4486 and is not known to be exploitable in any way, though its exact impact is
4487 difficult to determine. The following has been determined:
4489 *) The probability of BN_sqr producing an incorrect result at random is
4490 very low: 1/2^64 on the single affected 32-bit platform (MIPS) and 1/2^128
4491 on affected 64-bit platforms.
4492 *) On most platforms, RSA follows a different code path and RSA operations
4493 are not affected at all. For the remaining platforms (e.g. OpenSSL built
4494 without assembly support), pre-existing countermeasures thwart bug
4496 *) Static ECDH is theoretically affected: it is possible to construct
4497 elliptic curve points that would falsely appear to be on the given curve.
4498 However, there is no known computationally feasible way to construct such
4499 points with low order, and so the security of static ECDH private keys is
4500 believed to be unaffected.
4501 *) Other routines known to be theoretically affected are modular
4502 exponentiation, primality testing, DSA, RSA blinding, JPAKE and SRP. No
4503 exploits are known and straightforward bug attacks fail - either the
4504 attacker cannot control when the bug triggers, or no private key material
4507 <advisory url="/news/secadv/20150108.txt"/>
4508 <reported source="Pieter Wuille (Blockstream)"/>
4511 <issue public="20141015">
4512 <cve name="2014-3513"/>
4513 <impact severity="High"/>
4514 <affects base="1.0.1" version="1.0.1"/>
4515 <affects base="1.0.1" version="1.0.1a"/>
4516 <affects base="1.0.1" version="1.0.1b"/>
4517 <affects base="1.0.1" version="1.0.1c"/>
4518 <affects base="1.0.1" version="1.0.1d"/>
4519 <affects base="1.0.1" version="1.0.1e"/>
4520 <affects base="1.0.1" version="1.0.1f"/>
4521 <affects base="1.0.1" version="1.0.1g"/>
4522 <affects base="1.0.1" version="1.0.1h"/>
4523 <affects base="1.0.1" version="1.0.1i"/>
4524 <fixed base="1.0.1" version="1.0.1j" date="20141015"/>
4526 A flaw in the DTLS SRTP extension parsing code allows an attacker, who
4527 sends a carefully crafted handshake message, to cause OpenSSL to fail
4528 to free up to 64k of memory causing a memory leak. This could be
4529 exploited in a Denial Of Service attack. This issue affects OpenSSL
4530 1.0.1 server implementations for both SSL/TLS and DTLS regardless of
4531 whether SRTP is used or configured. Implementations of OpenSSL that
4532 have been compiled with OPENSSL_NO_SRTP defined are not affected.
4534 <advisory url="/news/secadv/20141015.txt"/>
4535 <reported source="LibreSSL project"/>
4538 <issue public="20141015">
4539 <cve name="2014-3567"/>
4540 <impact severity="Moderate"/>
4541 <affects base="0.9.8" version="0.9.8g"/>
4542 <affects base="0.9.8" version="0.9.8h"/>
4543 <affects base="0.9.8" version="0.9.8i"/>
4544 <affects base="0.9.8" version="0.9.8j"/>
4545 <affects base="0.9.8" version="0.9.8k"/>
4546 <affects base="0.9.8" version="0.9.8l"/>
4547 <affects base="0.9.8" version="0.9.8m"/>
4548 <affects base="0.9.8" version="0.9.8n"/>
4549 <affects base="0.9.8" version="0.9.8o"/>
4550 <affects base="0.9.8" version="0.9.8p"/>
4551 <affects base="0.9.8" version="0.9.8q"/>
4552 <affects base="0.9.8" version="0.9.8r"/>
4553 <affects base="0.9.8" version="0.9.8s"/>
4554 <affects base="0.9.8" version="0.9.8t"/>
4555 <affects base="0.9.8" version="0.9.8u"/>
4556 <affects base="0.9.8" version="0.9.8v"/>
4557 <affects base="0.9.8" version="0.9.8w"/>
4558 <affects base="0.9.8" version="0.9.8x"/>
4559 <affects base="0.9.8" version="0.9.8y"/>
4560 <affects base="0.9.8" version="0.9.8za"/>
4561 <affects base="0.9.8" version="0.9.8zb"/>
4562 <affects base="1.0.0" version="1.0.0"/>
4563 <affects base="1.0.0" version="1.0.0a"/>
4564 <affects base="1.0.0" version="1.0.0b"/>
4565 <affects base="1.0.0" version="1.0.0c"/>
4566 <affects base="1.0.0" version="1.0.0d"/>
4567 <affects base="1.0.0" version="1.0.0e"/>
4568 <affects base="1.0.0" version="1.0.0f"/>
4569 <affects base="1.0.0" version="1.0.0g"/>
4570 <affects base="1.0.0" version="1.0.0i"/>
4571 <affects base="1.0.0" version="1.0.0j"/>
4572 <affects base="1.0.0" version="1.0.0k"/>
4573 <affects base="1.0.0" version="1.0.0l"/>
4574 <affects base="1.0.0" version="1.0.0m"/>
4575 <affects base="1.0.0" version="1.0.0n"/>
4576 <affects base="1.0.1" version="1.0.1"/>
4577 <affects base="1.0.1" version="1.0.1a"/>
4578 <affects base="1.0.1" version="1.0.1b"/>
4579 <affects base="1.0.1" version="1.0.1c"/>
4580 <affects base="1.0.1" version="1.0.1d"/>
4581 <affects base="1.0.1" version="1.0.1e"/>
4582 <affects base="1.0.1" version="1.0.1f"/>
4583 <affects base="1.0.1" version="1.0.1g"/>
4584 <affects base="1.0.1" version="1.0.1h"/>
4585 <affects base="1.0.1" version="1.0.1i"/>
4586 <fixed base="1.0.1" version="1.0.1j" date="20140806"/>
4587 <fixed base="1.0.0" version="1.0.0o" date="20140806"/>
4588 <fixed base="0.9.8" version="0.9.8zc" date="20140806"/>
4590 When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
4591 integrity of that ticket is first verified. In the event of a session
4592 ticket integrity check failing, OpenSSL will fail to free memory
4593 causing a memory leak. By sending a large number of invalid session
4594 tickets an attacker could exploit this issue in a Denial Of Service
4597 <advisory url="/news/secadv/20141015.txt"/>
4599 <issue public="20141015">
4600 <cve name=""/> <!-- this is deliberate -->
4601 <affects base="0.9.8" version="0.9.8"/>
4602 <affects base="0.9.8" version="0.9.8a"/>
4603 <affects base="0.9.8" version="0.9.8b"/>
4604 <affects base="0.9.8" version="0.9.8c"/>
4605 <affects base="0.9.8" version="0.9.8d"/>
4606 <affects base="0.9.8" version="0.9.8e"/>
4607 <affects base="0.9.8" version="0.9.8f"/>
4608 <affects base="0.9.8" version="0.9.8g"/>
4609 <affects base="0.9.8" version="0.9.8h"/>
4610 <affects base="0.9.8" version="0.9.8i"/>
4611 <affects base="0.9.8" version="0.9.8j"/>
4612 <affects base="0.9.8" version="0.9.8k"/>
4613 <affects base="0.9.8" version="0.9.8l"/>
4614 <affects base="0.9.8" version="0.9.8m"/>
4615 <affects base="0.9.8" version="0.9.8n"/>
4616 <affects base="0.9.8" version="0.9.8o"/>
4617 <affects base="0.9.8" version="0.9.8p"/>
4618 <affects base="0.9.8" version="0.9.8q"/>
4619 <affects base="0.9.8" version="0.9.8r"/>
4620 <affects base="0.9.8" version="0.9.8s"/>
4621 <affects base="0.9.8" version="0.9.8t"/>
4622 <affects base="0.9.8" version="0.9.8u"/>
4623 <affects base="0.9.8" version="0.9.8v"/>
4624 <affects base="0.9.8" version="0.9.8w"/>
4625 <affects base="0.9.8" version="0.9.8x"/>
4626 <affects base="0.9.8" version="0.9.8y"/>
4627 <affects base="0.9.8" version="0.9.8za"/>
4628 <affects base="0.9.8" version="0.9.8zb"/>
4629 <affects base="1.0.0" version="1.0.0"/>
4630 <affects base="1.0.0" version="1.0.0a"/>
4631 <affects base="1.0.0" version="1.0.0b"/>
4632 <affects base="1.0.0" version="1.0.0c"/>
4633 <affects base="1.0.0" version="1.0.0d"/>
4634 <affects base="1.0.0" version="1.0.0e"/>
4635 <affects base="1.0.0" version="1.0.0f"/>
4636 <affects base="1.0.0" version="1.0.0g"/>
4637 <affects base="1.0.0" version="1.0.0i"/>
4638 <affects base="1.0.0" version="1.0.0j"/>
4639 <affects base="1.0.0" version="1.0.0k"/>
4640 <affects base="1.0.0" version="1.0.0l"/>
4641 <affects base="1.0.0" version="1.0.0m"/>
4642 <affects base="1.0.0" version="1.0.0n"/>
4643 <affects base="1.0.1" version="1.0.1"/>
4644 <affects base="1.0.1" version="1.0.1a"/>
4645 <affects base="1.0.1" version="1.0.1b"/>
4646 <affects base="1.0.1" version="1.0.1c"/>
4647 <affects base="1.0.1" version="1.0.1d"/>
4648 <affects base="1.0.1" version="1.0.1e"/>
4649 <affects base="1.0.1" version="1.0.1f"/>
4650 <affects base="1.0.1" version="1.0.1g"/>
4651 <affects base="1.0.1" version="1.0.1h"/>
4652 <affects base="1.0.1" version="1.0.1i"/>
4653 <fixed base="1.0.1" version="1.0.1j" date="20140806"/>
4654 <fixed base="1.0.0" version="1.0.0o" date="20140806"/>
4655 <fixed base="0.9.8" version="0.9.8zc" date="20140806"/>
4657 OpenSSL has added support for TLS_FALLBACK_SCSV to allow applications
4658 to block the ability for a MITM attacker to force a protocol
4661 Some client applications (such as browsers) will reconnect using a
4662 downgraded protocol to work around interoperability bugs in older
4663 servers. This could be exploited by an active man-in-the-middle to
4664 downgrade connections to SSL 3.0 even if both sides of the connection
4665 support higher protocols. SSL 3.0 contains a number of weaknesses
4666 including POODLE (CVE-2014-3566).
4669 https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00 and
4670 https://www.openssl.org/~bodo/ssl-poodle.pdf
4674 <issue public="20141015">
4675 <cve name="2014-3568"/>
4676 <impact severity="Low"/>
4677 <affects base="0.9.8" version="0.9.8"/>
4678 <affects base="0.9.8" version="0.9.8a"/>
4679 <affects base="0.9.8" version="0.9.8b"/>
4680 <affects base="0.9.8" version="0.9.8c"/>
4681 <affects base="0.9.8" version="0.9.8d"/>
4682 <affects base="0.9.8" version="0.9.8e"/>
4683 <affects base="0.9.8" version="0.9.8f"/>
4684 <affects base="0.9.8" version="0.9.8g"/>
4685 <affects base="0.9.8" version="0.9.8h"/>
4686 <affects base="0.9.8" version="0.9.8i"/>
4687 <affects base="0.9.8" version="0.9.8j"/>
4688 <affects base="0.9.8" version="0.9.8k"/>
4689 <affects base="0.9.8" version="0.9.8l"/>
4690 <affects base="0.9.8" version="0.9.8m"/>
4691 <affects base="0.9.8" version="0.9.8n"/>
4692 <affects base="0.9.8" version="0.9.8o"/>
4693 <affects base="0.9.8" version="0.9.8p"/>
4694 <affects base="0.9.8" version="0.9.8q"/>
4695 <affects base="0.9.8" version="0.9.8r"/>
4696 <affects base="0.9.8" version="0.9.8s"/>
4697 <affects base="0.9.8" version="0.9.8t"/>
4698 <affects base="0.9.8" version="0.9.8u"/>
4699 <affects base="0.9.8" version="0.9.8v"/>
4700 <affects base="0.9.8" version="0.9.8w"/>
4701 <affects base="0.9.8" version="0.9.8x"/>
4702 <affects base="0.9.8" version="0.9.8y"/>
4703 <affects base="0.9.8" version="0.9.8za"/>
4704 <affects base="0.9.8" version="0.9.8zb"/>
4705 <affects base="1.0.0" version="1.0.0"/>
4706 <affects base="1.0.0" version="1.0.0a"/>
4707 <affects base="1.0.0" version="1.0.0b"/>
4708 <affects base="1.0.0" version="1.0.0c"/>
4709 <affects base="1.0.0" version="1.0.0d"/>
4710 <affects base="1.0.0" version="1.0.0e"/>
4711 <affects base="1.0.0" version="1.0.0f"/>
4712 <affects base="1.0.0" version="1.0.0g"/>
4713 <affects base="1.0.0" version="1.0.0i"/>
4714 <affects base="1.0.0" version="1.0.0j"/>
4715 <affects base="1.0.0" version="1.0.0k"/>
4716 <affects base="1.0.0" version="1.0.0l"/>
4717 <affects base="1.0.0" version="1.0.0m"/>
4718 <affects base="1.0.0" version="1.0.0n"/>
4719 <affects base="1.0.1" version="1.0.1"/>
4720 <affects base="1.0.1" version="1.0.1a"/>
4721 <affects base="1.0.1" version="1.0.1b"/>
4722 <affects base="1.0.1" version="1.0.1c"/>
4723 <affects base="1.0.1" version="1.0.1d"/>
4724 <affects base="1.0.1" version="1.0.1e"/>
4725 <affects base="1.0.1" version="1.0.1f"/>
4726 <affects base="1.0.1" version="1.0.1g"/>
4727 <affects base="1.0.1" version="1.0.1h"/>
4728 <affects base="1.0.1" version="1.0.1i"/>
4729 <fixed base="1.0.1" version="1.0.1j" date="20140806"/>
4730 <fixed base="1.0.0" version="1.0.0o" date="20140806"/>
4731 <fixed base="0.9.8" version="0.9.8zc" date="20140806"/>
4734 When OpenSSL is configured with "no-ssl3" as a build option, servers
4735 could accept and complete a SSL 3.0 handshake, and clients could be
4736 configured to send them.
4738 <advisory url="/news/secadv/20141015.txt"/>
4739 <reported source="Akamai Technologies"/>
4741 <issue public="20140806">
4742 <cve name="2014-3508"/>
4743 <affects base="0.9.8" version="0.9.8"/>
4744 <affects base="0.9.8" version="0.9.8a"/>
4745 <affects base="0.9.8" version="0.9.8b"/>
4746 <affects base="0.9.8" version="0.9.8c"/>
4747 <affects base="0.9.8" version="0.9.8d"/>
4748 <affects base="0.9.8" version="0.9.8e"/>
4749 <affects base="0.9.8" version="0.9.8f"/>
4750 <affects base="0.9.8" version="0.9.8g"/>
4751 <affects base="0.9.8" version="0.9.8h"/>
4752 <affects base="0.9.8" version="0.9.8i"/>
4753 <affects base="0.9.8" version="0.9.8j"/>
4754 <affects base="0.9.8" version="0.9.8k"/>
4755 <affects base="0.9.8" version="0.9.8l"/>
4756 <affects base="0.9.8" version="0.9.8m"/>
4757 <affects base="0.9.8" version="0.9.8n"/>
4758 <affects base="0.9.8" version="0.9.8o"/>
4759 <affects base="0.9.8" version="0.9.8p"/>
4760 <affects base="0.9.8" version="0.9.8q"/>
4761 <affects base="0.9.8" version="0.9.8r"/>
4762 <affects base="0.9.8" version="0.9.8s"/>
4763 <affects base="0.9.8" version="0.9.8t"/>
4764 <affects base="0.9.8" version="0.9.8u"/>
4765 <affects base="0.9.8" version="0.9.8v"/>
4766 <affects base="0.9.8" version="0.9.8w"/>
4767 <affects base="0.9.8" version="0.9.8x"/>
4768 <affects base="0.9.8" version="0.9.8y"/>
4769 <affects base="0.9.8" version="0.9.8za"/>
4770 <affects base="1.0.0" version="1.0.0"/>
4771 <affects base="1.0.0" version="1.0.0a"/>
4772 <affects base="1.0.0" version="1.0.0b"/>
4773 <affects base="1.0.0" version="1.0.0c"/>
4774 <affects base="1.0.0" version="1.0.0d"/>
4775 <affects base="1.0.0" version="1.0.0e"/>
4776 <affects base="1.0.0" version="1.0.0f"/>
4777 <affects base="1.0.0" version="1.0.0g"/>
4778 <affects base="1.0.0" version="1.0.0i"/>
4779 <affects base="1.0.0" version="1.0.0j"/>
4780 <affects base="1.0.0" version="1.0.0k"/>
4781 <affects base="1.0.0" version="1.0.0l"/>
4782 <affects base="1.0.0" version="1.0.0m"/>
4783 <affects base="1.0.1" version="1.0.1"/>
4784 <affects base="1.0.1" version="1.0.1a"/>
4785 <affects base="1.0.1" version="1.0.1b"/>
4786 <affects base="1.0.1" version="1.0.1c"/>
4787 <affects base="1.0.1" version="1.0.1d"/>
4788 <affects base="1.0.1" version="1.0.1e"/>
4789 <affects base="1.0.1" version="1.0.1f"/>
4790 <affects base="1.0.1" version="1.0.1g"/>
4791 <affects base="1.0.1" version="1.0.1h"/>
4792 <fixed base="1.0.1" version="1.0.1i" date="20140806">
4794 <fixed base="1.0.0" version="1.0.0n" date="20140806">
4796 <fixed base="0.9.8" version="0.9.8zb" date="20140806">
4799 A flaw in OBJ_obj2txt may cause pretty printing functions such as
4800 X509_name_oneline, X509_name_print_ex, to leak some information from the
4801 stack. Applications may be affected if they echo pretty printing output to the
4802 attacker. OpenSSL SSL/TLS clients and servers themselves are not affected.
4804 <advisory url="/news/secadv/20140806.txt"/>
4805 <reported source="Ivan Fratric (Google)"/>
4808 <issue public="20140806">
4809 <cve name="2014-5139"/>
4811 A crash was found affecting SRP ciphersuites used in a Server Hello message.
4812 The issue affects OpenSSL clients and allows a malicious server to crash
4813 the client with a null pointer dereference (read) by specifying an SRP
4814 ciphersuite even though it was not properly negotiated with the client. This
4815 could lead to a Denial of Service.
4817 <affects base="1.0.1" version="1.0.1"/>
4818 <affects base="1.0.1" version="1.0.1a"/>
4819 <affects base="1.0.1" version="1.0.1b"/>
4820 <affects base="1.0.1" version="1.0.1c"/>
4821 <affects base="1.0.1" version="1.0.1d"/>
4822 <affects base="1.0.1" version="1.0.1e"/>
4823 <affects base="1.0.1" version="1.0.1f"/>
4824 <affects base="1.0.1" version="1.0.1g"/>
4825 <affects base="1.0.1" version="1.0.1h"/>
4826 <fixed base="1.0.1" version="1.0.1i" date="20140806">
4828 <advisory url="/news/secadv/20140806.txt"/>
4829 <reported source="Joonas Kuorilehto and Riku Hietamäki (Codenomicon)"/>
4832 <issue public="20140806">
4833 <cve name="2014-3509"/>
4834 <description>A race condition was found in ssl_parse_serverhello_tlsext.
4835 If a multithreaded client connects to a malicious server using a resumed session
4836 and the server sends an ec point format extension, it could write up to 255 bytes
4837 to freed memory.</description>
4838 <affects base="1.0.0" version="1.0.0"/>
4839 <affects base="1.0.0" version="1.0.0a"/>
4840 <affects base="1.0.0" version="1.0.0b"/>
4841 <affects base="1.0.0" version="1.0.0c"/>
4842 <affects base="1.0.0" version="1.0.0d"/>
4843 <affects base="1.0.0" version="1.0.0e"/>
4844 <affects base="1.0.0" version="1.0.0f"/>
4845 <affects base="1.0.0" version="1.0.0g"/>
4846 <affects base="1.0.0" version="1.0.0i"/>
4847 <affects base="1.0.0" version="1.0.0j"/>
4848 <affects base="1.0.0" version="1.0.0k"/>
4849 <affects base="1.0.0" version="1.0.0l"/>
4850 <affects base="1.0.0" version="1.0.0m"/>
4851 <affects base="1.0.1" version="1.0.1"/>
4852 <affects base="1.0.1" version="1.0.1a"/>
4853 <affects base="1.0.1" version="1.0.1b"/>
4854 <affects base="1.0.1" version="1.0.1c"/>
4855 <affects base="1.0.1" version="1.0.1d"/>
4856 <affects base="1.0.1" version="1.0.1e"/>
4857 <affects base="1.0.1" version="1.0.1f"/>
4858 <affects base="1.0.1" version="1.0.1g"/>
4859 <affects base="1.0.1" version="1.0.1h"/>
4860 <fixed base="1.0.1" version="1.0.1i" date="20140806">
4862 <fixed base="1.0.0" version="1.0.0n" date="20140806">
4864 <reported source="Gabor Tyukasz (LogMeIn Inc)"/>
4865 <advisory url="/news/secadv/20140806.txt"/>
4868 <issue public="20140806">
4869 <cve name="2014-3505"/>
4870 <affects base="0.9.8" version="0.9.8m"/>
4871 <affects base="0.9.8" version="0.9.8n"/>
4872 <affects base="0.9.8" version="0.9.8o"/>
4873 <affects base="0.9.8" version="0.9.8p"/>
4874 <affects base="0.9.8" version="0.9.8q"/>
4875 <affects base="0.9.8" version="0.9.8r"/>
4876 <affects base="0.9.8" version="0.9.8s"/>
4877 <affects base="0.9.8" version="0.9.8t"/>
4878 <affects base="0.9.8" version="0.9.8u"/>
4879 <affects base="0.9.8" version="0.9.8v"/>
4880 <affects base="0.9.8" version="0.9.8w"/>
4881 <affects base="0.9.8" version="0.9.8x"/>
4882 <affects base="0.9.8" version="0.9.8y"/>
4883 <affects base="0.9.8" version="0.9.8za"/>
4884 <affects base="1.0.0" version="1.0.0"/>
4885 <affects base="1.0.0" version="1.0.0a"/>
4886 <affects base="1.0.0" version="1.0.0b"/>
4887 <affects base="1.0.0" version="1.0.0c"/>
4888 <affects base="1.0.0" version="1.0.0d"/>
4889 <affects base="1.0.0" version="1.0.0e"/>
4890 <affects base="1.0.0" version="1.0.0f"/>
4891 <affects base="1.0.0" version="1.0.0g"/>
4892 <affects base="1.0.0" version="1.0.0i"/>
4893 <affects base="1.0.0" version="1.0.0j"/>
4894 <affects base="1.0.0" version="1.0.0k"/>
4895 <affects base="1.0.0" version="1.0.0l"/>
4896 <affects base="1.0.0" version="1.0.0m"/>
4897 <affects base="1.0.1" version="1.0.1"/>
4898 <affects base="1.0.1" version="1.0.1a"/>
4899 <affects base="1.0.1" version="1.0.1b"/>
4900 <affects base="1.0.1" version="1.0.1c"/>
4901 <affects base="1.0.1" version="1.0.1d"/>
4902 <affects base="1.0.1" version="1.0.1e"/>
4903 <affects base="1.0.1" version="1.0.1f"/>
4904 <affects base="1.0.1" version="1.0.1g"/>
4905 <affects base="1.0.1" version="1.0.1h"/>
4906 <fixed base="1.0.1" version="1.0.1i" date="20140806">
4908 <fixed base="1.0.0" version="1.0.0n" date="20140806">
4910 <fixed base="0.9.8" version="0.9.8zb" date="20140806">
4913 A Double Free was found when processing DTLS packets.
4914 An attacker can force an error condition which causes openssl to crash whilst
4915 processing DTLS packets due to memory being freed twice. This could lead to a
4916 Denial of Service attack.
4918 <reported source="Adam Langley and Wan-Teh Chang (Google)"/>
4919 <advisory url="/news/secadv/20140806.txt"/>
4922 <issue public="20140806">
4923 <cve name="2014-3506"/>
4924 <affects base="0.9.8" version="0.9.8"/>
4925 <affects base="0.9.8" version="0.9.8a"/>
4926 <affects base="0.9.8" version="0.9.8b"/>
4927 <affects base="0.9.8" version="0.9.8c"/>
4928 <affects base="0.9.8" version="0.9.8d"/>
4929 <affects base="0.9.8" version="0.9.8e"/>
4930 <affects base="0.9.8" version="0.9.8f"/>
4931 <affects base="0.9.8" version="0.9.8g"/>
4932 <affects base="0.9.8" version="0.9.8h"/>
4933 <affects base="0.9.8" version="0.9.8i"/>
4934 <affects base="0.9.8" version="0.9.8j"/>
4935 <affects base="0.9.8" version="0.9.8k"/>
4936 <affects base="0.9.8" version="0.9.8l"/>
4937 <affects base="0.9.8" version="0.9.8m"/>
4938 <affects base="0.9.8" version="0.9.8n"/>
4939 <affects base="0.9.8" version="0.9.8o"/>
4940 <affects base="0.9.8" version="0.9.8p"/>
4941 <affects base="0.9.8" version="0.9.8q"/>
4942 <affects base="0.9.8" version="0.9.8r"/>
4943 <affects base="0.9.8" version="0.9.8s"/>
4944 <affects base="0.9.8" version="0.9.8t"/>
4945 <affects base="0.9.8" version="0.9.8u"/>
4946 <affects base="0.9.8" version="0.9.8v"/>
4947 <affects base="0.9.8" version="0.9.8w"/>
4948 <affects base="0.9.8" version="0.9.8x"/>
4949 <affects base="0.9.8" version="0.9.8y"/>
4950 <affects base="0.9.8" version="0.9.8za"/>
4951 <affects base="1.0.0" version="1.0.0"/>
4952 <affects base="1.0.0" version="1.0.0a"/>
4953 <affects base="1.0.0" version="1.0.0b"/>
4954 <affects base="1.0.0" version="1.0.0c"/>
4955 <affects base="1.0.0" version="1.0.0d"/>
4956 <affects base="1.0.0" version="1.0.0e"/>
4957 <affects base="1.0.0" version="1.0.0f"/>
4958 <affects base="1.0.0" version="1.0.0g"/>
4959 <affects base="1.0.0" version="1.0.0i"/>
4960 <affects base="1.0.0" version="1.0.0j"/>
4961 <affects base="1.0.0" version="1.0.0k"/>
4962 <affects base="1.0.0" version="1.0.0l"/>
4963 <affects base="1.0.0" version="1.0.0m"/>
4964 <affects base="1.0.1" version="1.0.1"/>
4965 <affects base="1.0.1" version="1.0.1a"/>
4966 <affects base="1.0.1" version="1.0.1b"/>
4967 <affects base="1.0.1" version="1.0.1c"/>
4968 <affects base="1.0.1" version="1.0.1d"/>
4969 <affects base="1.0.1" version="1.0.1e"/>
4970 <affects base="1.0.1" version="1.0.1f"/>
4971 <affects base="1.0.1" version="1.0.1g"/>
4972 <affects base="1.0.1" version="1.0.1h"/>
4973 <fixed base="1.0.1" version="1.0.1i" date="20140806">
4975 <fixed base="1.0.0" version="1.0.0n" date="20140806">
4977 <fixed base="0.9.8" version="0.9.8zb" date="20140806">
4980 A DTLS flaw leading to memory exhaustion was found.
4981 An attacker can force openssl to consume large amounts of memory whilst
4982 processing DTLS handshake messages. This could lead to a Denial of
4985 <reported source="Adam Langley (Google)"/>
4986 <advisory url="/news/secadv/20140806.txt"/>
4989 <issue public="20140806">
4990 <cve name="2014-3507"/>
4991 <affects base="0.9.8" version="0.9.8o"/>
4992 <affects base="0.9.8" version="0.9.8p"/>
4993 <affects base="0.9.8" version="0.9.8q"/>
4994 <affects base="0.9.8" version="0.9.8r"/>
4995 <affects base="0.9.8" version="0.9.8s"/>
4996 <affects base="0.9.8" version="0.9.8t"/>
4997 <affects base="0.9.8" version="0.9.8u"/>
4998 <affects base="0.9.8" version="0.9.8v"/>
4999 <affects base="0.9.8" version="0.9.8w"/>
5000 <affects base="0.9.8" version="0.9.8x"/>
5001 <affects base="0.9.8" version="0.9.8y"/>
5002 <affects base="0.9.8" version="0.9.8za"/>
5003 <affects base="1.0.0" version="1.0.0a"/>
5004 <affects base="1.0.0" version="1.0.0b"/>
5005 <affects base="1.0.0" version="1.0.0c"/>
5006 <affects base="1.0.0" version="1.0.0d"/>
5007 <affects base="1.0.0" version="1.0.0e"/>
5008 <affects base="1.0.0" version="1.0.0f"/>
5009 <affects base="1.0.0" version="1.0.0g"/>
5010 <affects base="1.0.0" version="1.0.0i"/>
5011 <affects base="1.0.0" version="1.0.0j"/>
5012 <affects base="1.0.0" version="1.0.0k"/>
5013 <affects base="1.0.0" version="1.0.0l"/>
5014 <affects base="1.0.0" version="1.0.0m"/>
5015 <affects base="1.0.1" version="1.0.1"/>
5016 <affects base="1.0.1" version="1.0.1a"/>
5017 <affects base="1.0.1" version="1.0.1b"/>
5018 <affects base="1.0.1" version="1.0.1c"/>
5019 <affects base="1.0.1" version="1.0.1d"/>
5020 <affects base="1.0.1" version="1.0.1e"/>
5021 <affects base="1.0.1" version="1.0.1f"/>
5022 <affects base="1.0.1" version="1.0.1g"/>
5023 <affects base="1.0.1" version="1.0.1h"/>
5024 <fixed base="1.0.1" version="1.0.1i" date="20140806">
5026 <fixed base="1.0.0" version="1.0.0n" date="20140806">
5028 <fixed base="0.9.8" version="0.9.8zb" date="20140806">
5031 A DTLS memory leak from zero-length fragments was found.
5032 By sending carefully crafted DTLS packets an attacker could cause OpenSSL to
5033 leak memory. This could lead to a Denial of Service attack.
5035 <reported source="Adam Langley (Google)"/>
5036 <advisory url="/news/secadv/20140806.txt"/>
5039 <issue public="20140806">
5040 <cve name="2014-3510"/>
5041 <affects base="0.9.8" version="0.9.8"/>
5042 <affects base="0.9.8" version="0.9.8a"/>
5043 <affects base="0.9.8" version="0.9.8b"/>
5044 <affects base="0.9.8" version="0.9.8c"/>
5045 <affects base="0.9.8" version="0.9.8d"/>
5046 <affects base="0.9.8" version="0.9.8e"/>
5047 <affects base="0.9.8" version="0.9.8f"/>
5048 <affects base="0.9.8" version="0.9.8g"/>
5049 <affects base="0.9.8" version="0.9.8h"/>
5050 <affects base="0.9.8" version="0.9.8i"/>
5051 <affects base="0.9.8" version="0.9.8j"/>
5052 <affects base="0.9.8" version="0.9.8k"/>
5053 <affects base="0.9.8" version="0.9.8l"/>
5054 <affects base="0.9.8" version="0.9.8m"/>
5055 <affects base="0.9.8" version="0.9.8n"/>
5056 <affects base="0.9.8" version="0.9.8o"/>
5057 <affects base="0.9.8" version="0.9.8p"/>
5058 <affects base="0.9.8" version="0.9.8q"/>
5059 <affects base="0.9.8" version="0.9.8r"/>
5060 <affects base="0.9.8" version="0.9.8s"/>
5061 <affects base="0.9.8" version="0.9.8t"/>
5062 <affects base="0.9.8" version="0.9.8u"/>
5063 <affects base="0.9.8" version="0.9.8v"/>
5064 <affects base="0.9.8" version="0.9.8w"/>
5065 <affects base="0.9.8" version="0.9.8x"/>
5066 <affects base="0.9.8" version="0.9.8y"/>
5067 <affects base="0.9.8" version="0.9.8za"/>
5068 <affects base="1.0.0" version="1.0.0"/>
5069 <affects base="1.0.0" version="1.0.0a"/>
5070 <affects base="1.0.0" version="1.0.0b"/>
5071 <affects base="1.0.0" version="1.0.0c"/>
5072 <affects base="1.0.0" version="1.0.0d"/>
5073 <affects base="1.0.0" version="1.0.0e"/>
5074 <affects base="1.0.0" version="1.0.0f"/>
5075 <affects base="1.0.0" version="1.0.0g"/>
5076 <affects base="1.0.0" version="1.0.0i"/>
5077 <affects base="1.0.0" version="1.0.0j"/>
5078 <affects base="1.0.0" version="1.0.0k"/>
5079 <affects base="1.0.0" version="1.0.0l"/>
5080 <affects base="1.0.0" version="1.0.0m"/>
5081 <affects base="1.0.1" version="1.0.1"/>
5082 <affects base="1.0.1" version="1.0.1a"/>
5083 <affects base="1.0.1" version="1.0.1b"/>
5084 <affects base="1.0.1" version="1.0.1c"/>
5085 <affects base="1.0.1" version="1.0.1d"/>
5086 <affects base="1.0.1" version="1.0.1e"/>
5087 <affects base="1.0.1" version="1.0.1f"/>
5088 <affects base="1.0.1" version="1.0.1g"/>
5089 <affects base="1.0.1" version="1.0.1h"/>
5090 <fixed base="1.0.1" version="1.0.1i" date="20140806">
5092 <fixed base="1.0.0" version="1.0.0n" date="20140806">
5094 <fixed base="0.9.8" version="0.9.8zb" date="20140806">
5097 A flaw in handling DTLS anonymous EC(DH) ciphersuites was found.
5098 OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject to a
5099 denial of service attack. A malicious server can crash the client with a null
5100 pointer dereference (read) by specifying an anonymous (EC)DH ciphersuite and
5101 sending carefully crafted handshake messages.
5103 <reported source="Felix Gröbert (Google)"/>
5104 <advisory url="/news/secadv/20140806.txt"/>
5107 <issue public="20140806">
5108 <cve name="2014-3511"/>
5109 <affects base="1.0.1" version="1.0.1"/>
5110 <affects base="1.0.1" version="1.0.1a"/>
5111 <affects base="1.0.1" version="1.0.1b"/>
5112 <affects base="1.0.1" version="1.0.1c"/>
5113 <affects base="1.0.1" version="1.0.1d"/>
5114 <affects base="1.0.1" version="1.0.1e"/>
5115 <affects base="1.0.1" version="1.0.1f"/>
5116 <affects base="1.0.1" version="1.0.1g"/>
5117 <affects base="1.0.1" version="1.0.1h"/>
5118 <fixed base="1.0.1" version="1.0.1i" date="20140806">
5121 A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate
5122 TLS 1.0 instead of higher protocol versions when the ClientHello message is
5123 badly fragmented. This allows a man-in-the-middle attacker to force a
5124 downgrade to TLS 1.0 even if both the server and the client support a higher
5125 protocol version, by modifying the client's TLS records.
5127 <reported source="David Benjamin and Adam Langley (Google)"/>
5128 <advisory url="/news/secadv/20140806.txt"/>
5131 <issue public="20140806">
5132 <cve name="2014-3512"/>
5133 <affects base="1.0.1" version="1.0.1"/>
5134 <affects base="1.0.1" version="1.0.1a"/>
5135 <affects base="1.0.1" version="1.0.1b"/>
5136 <affects base="1.0.1" version="1.0.1c"/>
5137 <affects base="1.0.1" version="1.0.1d"/>
5138 <affects base="1.0.1" version="1.0.1e"/>
5139 <affects base="1.0.1" version="1.0.1f"/>
5140 <affects base="1.0.1" version="1.0.1g"/>
5141 <affects base="1.0.1" version="1.0.1h"/>
5142 <fixed base="1.0.1" version="1.0.1i" date="20140806">
5145 A SRP buffer overrun was found.
5146 A malicious client or server can send invalid SRP parameters and overrun
5147 an internal buffer. Only applications which are explicitly set up for SRP
5150 <reported source="Sean Devlin and Watson Ladd (Cryptography Services, NCC Group)"/>
5151 <advisory url="/news/secadv/20140806.txt"/>
5154 <issue public="20020730">
5155 <cve name="2002-0655"/>
5156 <affects base="0.9.6" version="0.9.6"/>
5157 <affects base="0.9.6" version="0.9.6a"/>
5158 <affects base="0.9.6" version="0.9.6b"/>
5159 <affects base="0.9.6" version="0.9.6c"/>
5160 <affects base="0.9.6" version="0.9.6d"/>
5161 <fixed base="0.9.6" version="0.9.6e" date="20020730"/>
5162 <advisory url="/news/secadv/20020730.txt"/>
5163 <reported source="OpenSSL Group (A.L. Digital)"/>
5165 Inproper handling of ASCII representations of integers on
5166 64 bit platforms allowed remote attackers to cause a denial of
5167 service or possibly execute arbitrary code.
5171 <issue public="20020730">
5172 <cve name="2002-0656"/>
5173 <affects base="0.9.6" version="0.9.6"/>
5174 <affects base="0.9.6" version="0.9.6a"/>
5175 <affects base="0.9.6" version="0.9.6b"/>
5176 <affects base="0.9.6" version="0.9.6c"/>
5177 <affects base="0.9.6" version="0.9.6d"/>
5178 <fixed base="0.9.6" version="0.9.6e" date="20020730"/>
5179 <advisory url="/news/secadv/20020730.txt"/>
5180 <reported source="OpenSSL Group (A.L. Digital)"/>
5182 A buffer overflow allowed remote attackers to execute
5183 arbitrary code by sending a large client master key in SSL2 or a
5184 large session ID in SSL3.
5188 <issue public="20020730">
5189 <cve name="2002-0657"/>
5190 <advisory url="/news/secadv/20020730.txt"/>
5191 <affects base="0.9.7" version="0.9.7-beta3"/>
5192 <fixed base="0.9.7" version="0.9.7" date="20021210"/>
5193 <reported source="OpenSSL Group (A.L. Digital)"/>
5195 A buffer overflow when Kerberos is enabled allowed attackers
5196 to execute arbitrary code by sending a long master key. Note that this
5197 flaw did not affect any released version of 0.9.6 or 0.9.7
5201 <issue public="20020730">
5202 <cve name="2002-0659"/>
5203 <advisory url="/news/secadv/20020730.txt"/>
5204 <affects base="0.9.6" version="0.9.6a"/>
5205 <affects base="0.9.6" version="0.9.6b"/>
5206 <affects base="0.9.6" version="0.9.6c"/>
5207 <affects base="0.9.6" version="0.9.6d"/>
5208 <fixed base="0.9.6" version="0.9.6e" date="20020730"/>
5210 A flaw in the ASN1 library allowed remote attackers to cause a denial of
5211 service by sending invalid encodings.
5215 <issue public="20020808">
5216 <cve name="2002-1568"/>
5217 <affects base="0.9.6" version="0.9.6e"/>
5218 <fixed base="0.9.6" version="0.9.6f" date="20020808">
5219 <git hash="517a0e7fa0f5453c860a3aec17b678bd55d5aad7"/>
5222 The use of assertions when detecting buffer overflow attacks
5223 allowed remote attackers to cause a denial of service (crash) by
5224 sending certain messages to cause
5225 OpenSSL to abort from a failed assertion, as demonstrated using SSLv2
5226 CLIENT_MASTER_KEY messages, which were not properly handled in
5231 <issue public="20030219">
5232 <cve name="2003-0078"/>
5233 <affects base="0.9.7" version="0.9.7"/>
5234 <affects base="0.9.6" version="0.9.6"/>
5235 <affects base="0.9.6" version="0.9.6a"/>
5236 <affects base="0.9.6" version="0.9.6b"/>
5237 <affects base="0.9.6" version="0.9.6c"/>
5238 <affects base="0.9.6" version="0.9.6d"/>
5239 <affects base="0.9.6" version="0.9.6e"/>
5240 <affects base="0.9.6" version="0.9.6f"/>
5241 <affects base="0.9.6" version="0.9.6g"/>
5242 <affects base="0.9.6" version="0.9.6h"/>
5243 <fixed base="0.9.7" version="0.9.7a" date="20030219"/>
5244 <fixed base="0.9.6" version="0.9.6i" date="20030219"/>
5245 <advisory url="/news/secadv/20030219.txt"/>
5247 sl3_get_record in s3_pkt.c did not perform a MAC computation if an
5248 incorrect block cipher padding was used, causing an information leak
5249 (timing discrepancy) that may make it easier to launch cryptographic
5250 attacks that rely on distinguishing between padding and MAC
5251 verification errors, possibly leading to extraction of the original
5252 plaintext, aka the "Vaudenay timing attack."
5256 <issue public="20030319">
5257 <cve name="2003-0131"/>
5258 <affects base="0.9.6" version="0.9.6"/>
5259 <affects base="0.9.6" version="0.9.6a"/>
5260 <affects base="0.9.6" version="0.9.6b"/>
5261 <affects base="0.9.6" version="0.9.6c"/>
5262 <affects base="0.9.6" version="0.9.6d"/>
5263 <affects base="0.9.6" version="0.9.6e"/>
5264 <affects base="0.9.6" version="0.9.6f"/>
5265 <affects base="0.9.6" version="0.9.6g"/>
5266 <affects base="0.9.6" version="0.9.6h"/>
5267 <affects base="0.9.6" version="0.9.6i"/>
5268 <affects base="0.9.7" version="0.9.7"/>
5269 <affects base="0.9.7" version="0.9.7a"/>
5270 <fixed base="0.9.6" version="0.9.6j" date="20030410"/>
5271 <fixed base="0.9.7" version="0.9.7b" date="20030410"/>
5272 <advisory url="/news/secadv/20030319.txt"/>
5274 The SSL and TLS components allowed remote attackers to perform an
5275 unauthorized RSA private key operation via a modified Bleichenbacher
5276 attack that uses a large number of SSL or TLS connections using PKCS #1
5277 v1.5 padding that caused OpenSSL to leak information regarding the
5278 relationship between ciphertext and the associated plaintext, aka the
5279 "Klima-Pokorny-Rosa attack"
5283 <issue public="20030314">
5284 <cve name="2003-0147"/>
5285 <affects base="0.9.6" version="0.9.6"/>
5286 <affects base="0.9.6" version="0.9.6a"/>
5287 <affects base="0.9.6" version="0.9.6b"/>
5288 <affects base="0.9.6" version="0.9.6c"/>
5289 <affects base="0.9.6" version="0.9.6d"/>
5290 <affects base="0.9.6" version="0.9.6e"/>
5291 <affects base="0.9.6" version="0.9.6f"/>
5292 <affects base="0.9.6" version="0.9.6g"/>
5293 <affects base="0.9.6" version="0.9.6h"/>
5294 <affects base="0.9.6" version="0.9.6i"/>
5295 <affects base="0.9.7" version="0.9.7"/>
5296 <affects base="0.9.7" version="0.9.7a"/>
5297 <advisory url="/news/secadv/20030317.txt"/>
5298 <fixed base="0.9.7" version="0.9.7b" date="20030410"/>
5299 <fixed base="0.9.6" version="0.9.6j" date="20030410"/>
5301 RSA blinding was not enabled by default, which could allow local and
5302 remote attackers to obtain a server's private key by determining
5303 factors using timing differences on (1) the number of extra reductions
5304 during Montgomery reduction, and (2) the use of different integer
5305 multiplication algorithms ("Karatsuba" and normal).
5309 <issue public="20030930">
5310 <cve name="2003-0543"/>
5311 <affects base="0.9.6" version="0.9.6"/>
5312 <affects base="0.9.6" version="0.9.6a"/>
5313 <affects base="0.9.6" version="0.9.6b"/>
5314 <affects base="0.9.6" version="0.9.6c"/>
5315 <affects base="0.9.6" version="0.9.6d"/>
5316 <affects base="0.9.6" version="0.9.6e"/>
5317 <affects base="0.9.6" version="0.9.6f"/>
5318 <affects base="0.9.6" version="0.9.6g"/>
5319 <affects base="0.9.6" version="0.9.6h"/>
5320 <affects base="0.9.6" version="0.9.6i"/>
5321 <affects base="0.9.6" version="0.9.6j"/>
5322 <affects base="0.9.7" version="0.9.7"/>
5323 <affects base="0.9.7" version="0.9.7a"/>
5324 <affects base="0.9.7" version="0.9.7b"/>
5325 <fixed base="0.9.7" version="0.9.7c" date="20030930"/>
5326 <fixed base="0.9.6" version="0.9.6k" date="20030930"/>
5327 <advisory url="/news/secadv/20030930.txt"/>
5328 <reported source="NISCC"/>
5330 An integer overflow could allow remote attackers to cause a denial of
5331 service (crash) via an SSL client certificate with certain ASN.1 tag
5336 <issue public="20030930">
5337 <cve name="2003-0544"/>
5338 <affects base="0.9.7" version="0.9.7"/>
5339 <affects base="0.9.7" version="0.9.7a"/>
5340 <affects base="0.9.7" version="0.9.7b"/>
5341 <affects base="0.9.6" version="0.9.6"/>
5342 <affects base="0.9.6" version="0.9.6a"/>
5343 <affects base="0.9.6" version="0.9.6b"/>
5344 <affects base="0.9.6" version="0.9.6c"/>
5345 <affects base="0.9.6" version="0.9.6d"/>
5346 <affects base="0.9.6" version="0.9.6e"/>
5347 <affects base="0.9.6" version="0.9.6f"/>
5348 <affects base="0.9.6" version="0.9.6g"/>
5349 <affects base="0.9.6" version="0.9.6h"/>
5350 <affects base="0.9.6" version="0.9.6i"/>
5351 <affects base="0.9.6" version="0.9.6j"/>
5352 <fixed base="0.9.6" version="0.9.6k" date="20030930"/>
5353 <fixed base="0.9.7" version="0.9.7c" date="20030930"/>
5354 <advisory url="/news/secadv/20030930.txt"/>
5355 <reported source="NISCC"/>
5357 Incorrect tracking of the number of characters in certain
5358 ASN.1 inputs could allow remote attackers to cause a denial of
5359 service (crash) by sending an SSL client certificate that causes OpenSSL to
5360 read past the end of a buffer when the long form is used.
5364 <issue public="20030930">
5365 <cve name="2003-0545"/>
5366 <affects base="0.9.7" version="0.9.7"/>
5367 <affects base="0.9.7" version="0.9.7a"/>
5368 <affects base="0.9.7" version="0.9.7b"/>
5369 <fixed base="0.9.7" version="0.9.7c" date="20030930"/>
5370 <advisory url="/news/secadv/20030930.txt"/>
5371 <reported source="NISCC"/>
5373 Certain ASN.1 encodings that were rejected as invalid by the parser could
5374 trigger a bug in the deallocation of the corresponding data structure,
5375 corrupting the stack, leading to a crash.
5379 <issue public="20031104">
5380 <cve name="2003-0851"/>
5381 <affects base="0.9.6" version="0.9.6k"/>
5382 <fixed base="0.9.6" version="0.9.6l" date="20031104"/>
5383 <advisory url="/news/secadv/20031104.txt"/>
5384 <reported source="Novell"/>
5386 A flaw in OpenSSL 0.9.6k (only) would cause certain ASN.1 sequences to
5387 trigger a large recursion. On platforms such as Windows this large
5388 recursion cannot be handled correctly and so the bug causes OpenSSL to
5389 crash. A remote attacker could exploit this flaw if they can send
5390 arbitrary ASN.1 sequences which would cause OpenSSL to crash. This
5391 could be performed for example by sending a client certificate to a
5392 SSL/TLS enabled server which is configured to accept them.
5396 <issue public="20040317">
5397 <cve name="2004-0079"/>
5398 <affects base="0.9.6" version="0.9.6c"/>
5399 <affects base="0.9.6" version="0.9.6d"/>
5400 <affects base="0.9.6" version="0.9.6e"/>
5401 <affects base="0.9.6" version="0.9.6f"/>
5402 <affects base="0.9.6" version="0.9.6g"/>
5403 <affects base="0.9.6" version="0.9.6h"/>
5404 <affects base="0.9.6" version="0.9.6i"/>
5405 <affects base="0.9.6" version="0.9.6j"/>
5406 <affects base="0.9.6" version="0.9.6k"/>
5407 <affects base="0.9.6" version="0.9.6l"/>
5408 <affects base="0.9.7" version="0.9.7"/>
5409 <affects base="0.9.7" version="0.9.7a"/>
5410 <affects base="0.9.7" version="0.9.7b"/>
5411 <affects base="0.9.7" version="0.9.7c"/>
5412 <fixed base="0.9.7" version="0.9.7d" date="20040317"/>
5413 <fixed base="0.9.6" version="0.9.6m" date="20040317"/>
5414 <advisory url="/news/secadv/20040317.txt"/>
5415 <reported source="OpenSSL group"/>
5417 The Codenomicon TLS Test Tool uncovered a null-pointer assignment in the
5418 do_change_cipher_spec() function. A remote attacker could perform a
5419 carefully crafted SSL/TLS handshake against a server that used the
5420 OpenSSL library in such a way as to cause a crash.
5424 <issue public="20040317">
5425 <cve name="2004-0081"/>
5426 <affects base="0.9.6" version="0.9.6"/>
5427 <affects base="0.9.6" version="0.9.6a"/>
5428 <affects base="0.9.6" version="0.9.6b"/>
5429 <affects base="0.9.6" version="0.9.6c"/>
5430 <fixed base="0.9.6" version="0.9.6d" date="20020603"/> <!-- guessed date -->
5432 <advisory url="/news/secadv/20030317.txt"/>
5433 <reported source="OpenSSL group"/>
5435 The Codenomicon TLS Test Tool found that some unknown message types
5436 were handled incorrectly, allowing a remote attacker to cause a denial
5437 of service (infinite loop).
5441 <issue public="20040317">
5442 <cve name="2004-0112"/>
5443 <affects base="0.9.7" version="0.9.7a"/>
5444 <affects base="0.9.7" version="0.9.7b"/>
5445 <affects base="0.9.7" version="0.9.7c"/>
5446 <fixed base="0.9.7" version="0.9.7d" date="20040317"/>
5447 <reported source="OpenSSL group (Stephen Henson)"/>
5448 <advisory url="/news/secadv/20040317.txt"/>
5450 A flaw in SSL/TLS handshaking code when using Kerberos ciphersuites.
5451 A remote attacker could perform a carefully crafted SSL/TLS handshake
5452 against a server configured to use Kerberos ciphersuites in such a way
5453 as to cause OpenSSL to crash. Most applications have no ability to
5454 use Kerberos ciphersuites and will therefore be unaffected.
5458 <issue public="20040930">
5459 <cve name="2004-0975"/>
5460 <affects base="0.9.7" version="0.9.7"/>
5461 <affects base="0.9.7" version="0.9.7a"/>
5462 <affects base="0.9.7" version="0.9.7b"/>
5463 <affects base="0.9.7" version="0.9.7c"/>
5464 <affects base="0.9.7" version="0.9.7d"/>
5465 <affects base="0.9.7" version="0.9.7e"/>
5466 <affects base="0.9.6" version="0.9.6"/>
5467 <affects base="0.9.6" version="0.9.6a"/>
5468 <affects base="0.9.6" version="0.9.6b"/>
5469 <affects base="0.9.6" version="0.9.6c"/>
5470 <affects base="0.9.6" version="0.9.6d"/>
5471 <affects base="0.9.6" version="0.9.6e"/>
5472 <affects base="0.9.6" version="0.9.6f"/>
5473 <affects base="0.9.6" version="0.9.6g"/>
5474 <affects base="0.9.6" version="0.9.6h"/>
5475 <affects base="0.9.6" version="0.9.6i"/>
5476 <affects base="0.9.6" version="0.9.6j"/>
5477 <affects base="0.9.6" version="0.9.6k"/>
5478 <affects base="0.9.6" version="0.9.6l"/>
5479 <affects base="0.9.6" version="0.9.6m"/>
5480 <fixed base="0.9.7" version="0.9.7f" date="20050322">
5481 <git hash="5fee606442a6738fd06a756d7076be53b7b7734c"/>
5483 <fixed base="0.9.6" version="0.9.6-cvs" date="20041114"/>
5484 <!-- der_chop was removed 20041114 -->
5487 The der_chop script created temporary files insecurely which could
5488 allow local users to overwrite files via a symlink attack on temporary
5489 files. Note that it is quite unlikely that a user would be using the
5490 redundant der_chop script, and this script was removed from the OpenSSL
5495 <issue public="20051011">
5496 <cve name="2005-2969"/>
5497 <affects base="0.9.7" version="0.9.7"/>
5498 <affects base="0.9.7" version="0.9.7a"/>
5499 <affects base="0.9.7" version="0.9.7b"/>
5500 <affects base="0.9.7" version="0.9.7c"/>
5501 <affects base="0.9.7" version="0.9.7d"/>
5502 <affects base="0.9.7" version="0.9.7e"/>
5503 <affects base="0.9.7" version="0.9.7f"/>
5504 <affects base="0.9.7" version="0.9.7g"/>
5505 <affects base="0.9.8" version="0.9.8"/>
5506 <affects base="0.9.6" version="0.9.6"/>
5507 <affects base="0.9.6" version="0.9.6a"/>
5508 <affects base="0.9.6" version="0.9.6b"/>
5509 <affects base="0.9.6" version="0.9.6c"/>
5510 <affects base="0.9.6" version="0.9.6d"/>
5511 <affects base="0.9.6" version="0.9.6e"/>
5512 <affects base="0.9.6" version="0.9.6f"/>
5513 <affects base="0.9.6" version="0.9.6g"/>
5514 <affects base="0.9.6" version="0.9.6h"/>
5515 <affects base="0.9.6" version="0.9.6i"/>
5516 <affects base="0.9.6" version="0.9.6j"/>
5517 <affects base="0.9.6" version="0.9.6k"/>
5518 <affects base="0.9.6" version="0.9.6l"/>
5519 <affects base="0.9.6" version="0.9.6m"/>
5520 <fixed base="0.9.7" version="0.9.7h" date="20051011"/>
5521 <fixed base="0.9.8" version="0.9.8a" date="20051011"/>
5523 <advisory url="/news/secadv/20051011.txt"/>
5524 <reported source="researcher"/>
5527 A deprecated option, SSL_OP_MISE_SSLV2_RSA_PADDING, could allow an
5528 attacker acting as a "man in the middle" to force a connection to
5529 downgrade to SSL 2.0 even if both parties support better protocols.
5533 <issue public="20060905">
5534 <cve name="2006-4339"/>
5535 <affects base="0.9.7" version="0.9.7"/>
5536 <affects base="0.9.7" version="0.9.7a"/>
5537 <affects base="0.9.7" version="0.9.7b"/>
5538 <affects base="0.9.7" version="0.9.7c"/>
5539 <affects base="0.9.7" version="0.9.7d"/>
5540 <affects base="0.9.7" version="0.9.7e"/>
5541 <affects base="0.9.7" version="0.9.7f"/>
5542 <affects base="0.9.7" version="0.9.7g"/>
5543 <affects base="0.9.7" version="0.9.7h"/>
5544 <affects base="0.9.7" version="0.9.7i"/>
5545 <affects base="0.9.7" version="0.9.7j"/>
5546 <affects base="0.9.8" version="0.9.8"/>
5547 <affects base="0.9.8" version="0.9.8a"/>
5548 <affects base="0.9.8" version="0.9.8b"/>
5549 <affects base="0.9.6" version="0.9.6"/>
5550 <affects base="0.9.6" version="0.9.6a"/>
5551 <affects base="0.9.6" version="0.9.6b"/>
5552 <affects base="0.9.6" version="0.9.6c"/>
5553 <affects base="0.9.6" version="0.9.6d"/>
5554 <affects base="0.9.6" version="0.9.6e"/>
5555 <affects base="0.9.6" version="0.9.6f"/>
5556 <affects base="0.9.6" version="0.9.6g"/>
5557 <affects base="0.9.6" version="0.9.6h"/>
5558 <affects base="0.9.6" version="0.9.6i"/>
5559 <affects base="0.9.6" version="0.9.6j"/>
5560 <affects base="0.9.6" version="0.9.6k"/>
5561 <affects base="0.9.6" version="0.9.6l"/>
5562 <affects base="0.9.6" version="0.9.6m"/>
5563 <fixed base="0.9.7" version="0.9.7k" date="20060905"/>
5564 <fixed base="0.9.8" version="0.9.8c" date="20060905"/>
5566 <advisory url="/news/secadv/20060905.txt"/>
5567 <reported source="openssl"/>
5570 Daniel Bleichenbacher discovered an attack on PKCS #1 v1.5
5571 signatures where under certain circumstances it may be possible
5572 for an attacker to forge a PKCS #1 v1.5 signature that would be incorrectly
5573 verified by OpenSSL.
5577 <issue public="20060928">
5578 <cve name="2006-2937"/>
5579 <affects base="0.9.7" version="0.9.7"/>
5580 <affects base="0.9.7" version="0.9.7a"/>
5581 <affects base="0.9.7" version="0.9.7b"/>
5582 <affects base="0.9.7" version="0.9.7c"/>
5583 <affects base="0.9.7" version="0.9.7d"/>
5584 <affects base="0.9.7" version="0.9.7e"/>
5585 <affects base="0.9.7" version="0.9.7f"/>
5586 <affects base="0.9.7" version="0.9.7g"/>
5587 <affects base="0.9.7" version="0.9.7h"/>
5588 <affects base="0.9.7" version="0.9.7i"/>
5589 <affects base="0.9.7" version="0.9.7j"/>
5590 <affects base="0.9.7" version="0.9.7k"/>
5591 <affects base="0.9.8" version="0.9.8"/>
5592 <affects base="0.9.8" version="0.9.8a"/>
5593 <affects base="0.9.8" version="0.9.8b"/>
5594 <affects base="0.9.8" version="0.9.8c"/>
5595 <fixed base="0.9.7" version="0.9.7l" date="20060928"/>
5596 <fixed base="0.9.8" version="0.9.8d" date="20060928"/>
5598 <advisory url="/news/secadv/20060928.txt"/>
5599 <reported source="openssl"/>
5602 During the parsing of certain invalid ASN.1 structures an error
5603 condition is mishandled. This can result in an infinite loop which
5604 consumes system memory
5608 <issue public="20060928">
5609 <cve name="2006-2940"/>
5610 <affects base="0.9.7" version="0.9.7"/>
5611 <affects base="0.9.7" version="0.9.7a"/>
5612 <affects base="0.9.7" version="0.9.7b"/>
5613 <affects base="0.9.7" version="0.9.7c"/>
5614 <affects base="0.9.7" version="0.9.7d"/>
5615 <affects base="0.9.7" version="0.9.7e"/>
5616 <affects base="0.9.7" version="0.9.7f"/>
5617 <affects base="0.9.7" version="0.9.7g"/>
5618 <affects base="0.9.7" version="0.9.7h"/>
5619 <affects base="0.9.7" version="0.9.7i"/>
5620 <affects base="0.9.7" version="0.9.7j"/>
5621 <affects base="0.9.7" version="0.9.7k"/>
5622 <affects base="0.9.8" version="0.9.8"/>
5623 <affects base="0.9.8" version="0.9.8a"/>
5624 <affects base="0.9.8" version="0.9.8b"/>
5625 <affects base="0.9.8" version="0.9.8c"/>
5626 <affects base="0.9.6" version="0.9.6"/>
5627 <affects base="0.9.6" version="0.9.6a"/>
5628 <affects base="0.9.6" version="0.9.6b"/>
5629 <affects base="0.9.6" version="0.9.6c"/>
5630 <affects base="0.9.6" version="0.9.6d"/>
5631 <affects base="0.9.6" version="0.9.6e"/>
5632 <affects base="0.9.6" version="0.9.6f"/>
5633 <affects base="0.9.6" version="0.9.6g"/>
5634 <affects base="0.9.6" version="0.9.6h"/>
5635 <affects base="0.9.6" version="0.9.6i"/>
5636 <affects base="0.9.6" version="0.9.6j"/>
5637 <affects base="0.9.6" version="0.9.6k"/>
5638 <affects base="0.9.6" version="0.9.6l"/>
5639 <affects base="0.9.6" version="0.9.6m"/>
5640 <fixed base="0.9.7" version="0.9.7l" date="20060928"/>
5641 <fixed base="0.9.8" version="0.9.8d" date="20060928"/>
5643 <advisory url="/news/secadv/20060928.txt"/>
5644 <reported source="openssl"/>
5647 Certain types of public key can take disproportionate amounts of
5648 time to process. This could be used by an attacker in a denial of
5653 <issue public="20060928">
5654 <cve name="2006-3738"/>
5655 <affects base="0.9.7" version="0.9.7"/>
5656 <affects base="0.9.7" version="0.9.7a"/>
5657 <affects base="0.9.7" version="0.9.7b"/>
5658 <affects base="0.9.7" version="0.9.7c"/>
5659 <affects base="0.9.7" version="0.9.7d"/>
5660 <affects base="0.9.7" version="0.9.7e"/>
5661 <affects base="0.9.7" version="0.9.7f"/>
5662 <affects base="0.9.7" version="0.9.7g"/>
5663 <affects base="0.9.7" version="0.9.7h"/>
5664 <affects base="0.9.7" version="0.9.7i"/>
5665 <affects base="0.9.7" version="0.9.7j"/>
5666 <affects base="0.9.7" version="0.9.7k"/>
5667 <affects base="0.9.8" version="0.9.8"/>
5668 <affects base="0.9.8" version="0.9.8a"/>
5669 <affects base="0.9.8" version="0.9.8b"/>
5670 <affects base="0.9.8" version="0.9.8c"/>
5671 <affects base="0.9.6" version="0.9.6"/>
5672 <affects base="0.9.6" version="0.9.6a"/>
5673 <affects base="0.9.6" version="0.9.6b"/>
5674 <affects base="0.9.6" version="0.9.6c"/>
5675 <affects base="0.9.6" version="0.9.6d"/>
5676 <affects base="0.9.6" version="0.9.6e"/>
5677 <affects base="0.9.6" version="0.9.6f"/>
5678 <affects base="0.9.6" version="0.9.6g"/>
5679 <affects base="0.9.6" version="0.9.6h"/>
5680 <affects base="0.9.6" version="0.9.6i"/>
5681 <affects base="0.9.6" version="0.9.6j"/>
5682 <affects base="0.9.6" version="0.9.6k"/>
5683 <affects base="0.9.6" version="0.9.6l"/>
5684 <affects base="0.9.6" version="0.9.6m"/>
5685 <fixed base="0.9.7" version="0.9.7l" date="20060928"/>
5686 <fixed base="0.9.8" version="0.9.8d" date="20060928"/>
5688 <advisory url="/news/secadv/20060928.txt"/>
5689 <reported source="openssl"/>
5692 A buffer overflow was discovered in the SSL_get_shared_ciphers()
5693 utility function. An attacker could send a list of ciphers to an
5694 application that uses this function and overrun a buffer.
5698 <issue public="20060928">
5699 <cve name="2006-4343"/>
5700 <affects base="0.9.7" version="0.9.7"/>
5701 <affects base="0.9.7" version="0.9.7a"/>
5702 <affects base="0.9.7" version="0.9.7b"/>
5703 <affects base="0.9.7" version="0.9.7c"/>
5704 <affects base="0.9.7" version="0.9.7d"/>
5705 <affects base="0.9.7" version="0.9.7e"/>
5706 <affects base="0.9.7" version="0.9.7f"/>
5707 <affects base="0.9.7" version="0.9.7g"/>
5708 <affects base="0.9.7" version="0.9.7h"/>
5709 <affects base="0.9.7" version="0.9.7i"/>
5710 <affects base="0.9.7" version="0.9.7j"/>
5711 <affects base="0.9.7" version="0.9.7k"/>
5712 <affects base="0.9.8" version="0.9.8"/>
5713 <affects base="0.9.8" version="0.9.8a"/>
5714 <affects base="0.9.8" version="0.9.8b"/>
5715 <affects base="0.9.8" version="0.9.8c"/>
5716 <affects base="0.9.6" version="0.9.6"/>
5717 <affects base="0.9.6" version="0.9.6a"/>
5718 <affects base="0.9.6" version="0.9.6b"/>
5719 <affects base="0.9.6" version="0.9.6c"/>
5720 <affects base="0.9.6" version="0.9.6d"/>
5721 <affects base="0.9.6" version="0.9.6e"/>
5722 <affects base="0.9.6" version="0.9.6f"/>
5723 <affects base="0.9.6" version="0.9.6g"/>
5724 <affects base="0.9.6" version="0.9.6h"/>
5725 <affects base="0.9.6" version="0.9.6i"/>
5726 <affects base="0.9.6" version="0.9.6j"/>
5727 <affects base="0.9.6" version="0.9.6k"/>
5728 <affects base="0.9.6" version="0.9.6l"/>
5729 <affects base="0.9.6" version="0.9.6m"/>
5730 <fixed base="0.9.7" version="0.9.7l" date="20060928"/>
5731 <fixed base="0.9.8" version="0.9.8d" date="20060928"/>
5733 <advisory url="/news/secadv/20060928.txt"/>
5734 <reported source="openssl"/>
5737 A flaw in the SSLv2 client code was discovered. When a client
5738 application used OpenSSL to create an SSLv2 connection to a malicious
5739 server, that server could cause the client to crash.
5743 <issue public="20071012">
5744 <cve name="2007-4995"/>
5745 <affects base="0.9.8" version="0.9.8"/>
5746 <affects base="0.9.8" version="0.9.8a"/>
5747 <affects base="0.9.8" version="0.9.8b"/>
5748 <affects base="0.9.8" version="0.9.8c"/>
5749 <affects base="0.9.8" version="0.9.8d"/>
5750 <affects base="0.9.8" version="0.9.8e"/>
5751 <fixed base="0.9.8" version="0.9.8f" date="20071012"/>
5752 <advisory url="/news/secadv/20071012.txt"/>
5753 <reported source="Andy Polyakov"/>
5756 A flaw in DTLS support. An attacker
5757 could create a malicious client or server that could trigger a heap
5758 overflow. This is possibly exploitable to run arbitrary code, but it has
5763 <issue public="20071012">
5764 <cve name="2007-5135"/>
5765 <affects base="0.9.8" version="0.9.8"/>
5766 <affects base="0.9.8" version="0.9.8a"/>
5767 <affects base="0.9.8" version="0.9.8b"/>
5768 <affects base="0.9.8" version="0.9.8c"/>
5769 <affects base="0.9.8" version="0.9.8d"/>
5770 <affects base="0.9.8" version="0.9.8e"/>
5771 <fixed base="0.9.8" version="0.9.8f" date="20071012"/>
5772 <advisory url="/news/secadv/20071012.txt"/>
5773 <reported source="Moritz Jodeit"/>
5776 A flaw was found in the SSL_get_shared_ciphers() utility function. An
5777 attacker could send a list of ciphers to an application that used this
5778 function and overrun a buffer with a single byte. Few
5779 applications make use of this vulnerable function and generally it is used
5780 only when applications are compiled for debugging.
5784 <issue public="20071129">
5785 <cve name="2007-5502"/>
5786 <advisory url="/news/secadv/20071129.txt"/>
5787 <reported source="Geoff Lowe"/>
5788 <affects base="fips-1.1" version="fips-1.1.1"/>
5789 <fixed base="fips-1.1" version="fips-1.1.2" date="20071201"/>
5791 The PRNG implementation for the OpenSSL FIPS Object Module 1.1.1 does
5792 not perform auto-seeding during the FIPS self-test, which generates
5793 random data that is more predictable than expected and makes it easier
5794 for attackers to bypass protection mechanisms that rely on the
5799 <issue public="20080528">
5800 <cve name="2008-0891"/>
5801 <affects base="0.9.8" version="0.9.8f"/>
5802 <affects base="0.9.8" version="0.9.8g"/>
5803 <fixed base="0.9.8" version="0.9.8h" date="20080528"/>
5804 <advisory url="/news/secadv/20080528.txt"/>
5805 <reported source="codenomicon"/>
5807 Testing using the Codenomicon TLS test suite discovered a flaw in the
5808 handling of server name extension data in OpenSSL 0.9.8f and OpenSSL
5809 0.9.8g. If OpenSSL has been compiled using the non-default TLS server
5810 name extensions, a remote attacker could send a carefully crafted
5811 packet to a server application using OpenSSL and cause it to crash.
5815 <issue public="20080528">
5816 <cve name="2008-1672"/>
5817 <affects base="0.9.8" version="0.9.8f"/>
5818 <affects base="0.9.8" version="0.9.8g"/>
5819 <fixed base="0.9.8" version="0.9.8h" date="20080528"/>
5820 <advisory url="/news/secadv/20080528.txt"/>
5821 <reported source="codenomicon"/>
5823 Testing using the Codenomicon TLS test suite discovered a flaw if the
5824 'Server Key exchange message' is omitted from a TLS handshake in
5825 OpenSSL 0.9.8f and OpenSSL 0.9.8g. If a client connects to a
5826 malicious server with particular cipher suites, the server could cause
5827 the client to crash.
5831 <issue public="20090107">
5832 <cve name="2008-5077"/>
5833 <affects base="0.9.8" version="0.9.8"/>
5834 <affects base="0.9.8" version="0.9.8a"/>
5835 <affects base="0.9.8" version="0.9.8b"/>
5836 <affects base="0.9.8" version="0.9.8c"/>
5837 <affects base="0.9.8" version="0.9.8d"/>
5838 <affects base="0.9.8" version="0.9.8e"/>
5839 <affects base="0.9.8" version="0.9.8f"/>
5840 <affects base="0.9.8" version="0.9.8g"/>
5841 <affects base="0.9.8" version="0.9.8h"/>
5842 <affects base="0.9.8" version="0.9.8i"/>
5843 <fixed base="0.9.8" version="0.9.8j" date="20090107"/>
5844 <advisory url="/news/secadv/20090107.txt"/>
5845 <reported source="google"/>
5848 The Google Security Team discovered several functions inside OpenSSL
5849 incorrectly checked the result after calling the EVP_VerifyFinal
5850 function, allowing a malformed signature to be treated as a good
5851 signature rather than as an error. This issue affected the signature
5852 checks on DSA and ECDSA keys used with SSL/TLS. One way to exploit
5853 this flaw would be for a remote attacker who is in control of a
5854 malicious server or who can use a 'man in the middle' attack to
5855 present a malformed SSL/TLS signature from a certificate chain to a
5856 vulnerable client, bypassing validation.
5860 <issue public="20090325">
5861 <cve name="2009-0590"/>
5862 <affects base="0.9.8" version="0.9.8"/>
5863 <affects base="0.9.8" version="0.9.8a"/>
5864 <affects base="0.9.8" version="0.9.8b"/>
5865 <affects base="0.9.8" version="0.9.8c"/>
5866 <affects base="0.9.8" version="0.9.8d"/>
5867 <affects base="0.9.8" version="0.9.8e"/>
5868 <affects base="0.9.8" version="0.9.8f"/>
5869 <affects base="0.9.8" version="0.9.8g"/>
5870 <affects base="0.9.8" version="0.9.8h"/>
5871 <affects base="0.9.8" version="0.9.8i"/>
5872 <affects base="0.9.8" version="0.9.8j"/>
5873 <fixed base="0.9.8" version="0.9.8k" date="20090325"/>
5874 <advisory url="/news/secadv/20090325.txt"/>
5876 The function ASN1_STRING_print_ex() when used to print a BMPString or
5877 UniversalString will crash with an invalid memory access if the
5878 encoded length of the string is illegal. Any OpenSSL application
5879 which prints out the contents of a certificate could be affected by
5880 this bug, including SSL servers, clients and S/MIME software.
5884 <issue public="20090325">
5885 <cve name="2009-0591"/>
5886 <affects base="0.9.8" version="0.9.8h"/>
5887 <affects base="0.9.8" version="0.9.8i"/>
5888 <affects base="0.9.8" version="0.9.8j"/>
5889 <fixed base="0.9.8" version="0.9.8k" date="20090325"/>
5890 <advisory url="/news/secadv/20090325.txt"/>
5891 <reported source="Ivan Nestlerode, IBM"/>
5893 The function CMS_verify() does not correctly handle an error condition
5894 involving malformed signed attributes. This will cause an invalid set
5895 of signed attributes to appear valid and content digests will not be
5900 <issue public="20090325">
5901 <cve name="2009-0789"/>
5902 <affects base="0.9.8" version="0.9.8"/>
5903 <affects base="0.9.8" version="0.9.8a"/>
5904 <affects base="0.9.8" version="0.9.8b"/>
5905 <affects base="0.9.8" version="0.9.8c"/>
5906 <affects base="0.9.8" version="0.9.8d"/>
5907 <affects base="0.9.8" version="0.9.8e"/>
5908 <affects base="0.9.8" version="0.9.8f"/>
5909 <affects base="0.9.8" version="0.9.8g"/>
5910 <affects base="0.9.8" version="0.9.8h"/>
5911 <affects base="0.9.8" version="0.9.8i"/>
5912 <affects base="0.9.8" version="0.9.8j"/>
5913 <fixed base="0.9.8" version="0.9.8k" date="20090325"/>
5914 <reported source="Paolo Ganci"/>
5915 <advisory url="/news/secadv/20090325.txt"/>
5917 When a malformed ASN1 structure is received it's contents are freed up and
5918 zeroed and an error condition returned. On a small number of platforms where
5919 sizeof(long) < sizeof(void *) (for example WIN64) this can cause an invalid
5920 memory access later resulting in a crash when some invalid structures are
5921 read, for example RSA public keys.
5925 <issue public="20090602">
5926 <cve name="2009-1386"/>
5927 <affects base="0.9.8" version="0.9.8"/>
5928 <affects base="0.9.8" version="0.9.8a"/>
5929 <affects base="0.9.8" version="0.9.8b"/>
5930 <affects base="0.9.8" version="0.9.8c"/>
5931 <affects base="0.9.8" version="0.9.8d"/>
5932 <affects base="0.9.8" version="0.9.8e"/>
5933 <affects base="0.9.8" version="0.9.8f"/>
5934 <affects base="0.9.8" version="0.9.8g"/>
5935 <affects base="0.9.8" version="0.9.8h"/>
5936 <fixed base="0.9.8" version="0.9.8i" date="20080915">
5937 <git hash="1cbf663a6c89dcf8f7706d30a8bae675e2e0199a"/>
5939 <reported source="Alex Lam"/>
5941 Fix a NULL pointer dereference if a DTLS server recieved
5942 ChangeCipherSpec as first record.
5943 A remote attacker could use this flaw to cause a DTLS server to crash
5947 <issue public="20091105">
5948 <cve name="2009-3555"/>
5949 <affects base="0.9.8" version="0.9.8"/>
5950 <affects base="0.9.8" version="0.9.8a"/>
5951 <affects base="0.9.8" version="0.9.8b"/>
5952 <affects base="0.9.8" version="0.9.8c"/>
5953 <affects base="0.9.8" version="0.9.8d"/>
5954 <affects base="0.9.8" version="0.9.8e"/>
5955 <affects base="0.9.8" version="0.9.8f"/>
5956 <affects base="0.9.8" version="0.9.8g"/>
5957 <affects base="0.9.8" version="0.9.8h"/>
5958 <affects base="0.9.8" version="0.9.8i"/>
5959 <affects base="0.9.8" version="0.9.8j"/>
5960 <affects base="0.9.8" version="0.9.8k"/>
5961 <affects base="0.9.8" version="0.9.8l"/>
5962 <fixed base="0.9.8" version="0.9.8m" date="20100120"/>
5963 <advisory url="/news/secadv/20091111.txt"/>
5965 Implement RFC5746 to address vulnerabilities in SSL/TLS renegotiation.
5969 <issue public="20090205">
5970 <cve name="2009-1387"/>
5971 <advisory url="https://rt.openssl.org/Ticket/Display.html?id=1838&user=guest&pass=guest"/>
5972 <affects base="0.9.8" version="0.9.8"/>
5973 <affects base="0.9.8" version="0.9.8a"/>
5974 <affects base="0.9.8" version="0.9.8b"/>
5975 <affects base="0.9.8" version="0.9.8c"/>
5976 <affects base="0.9.8" version="0.9.8d"/>
5977 <affects base="0.9.8" version="0.9.8e"/>
5978 <affects base="0.9.8" version="0.9.8f"/>
5979 <affects base="0.9.8" version="0.9.8g"/>
5980 <affects base="0.9.8" version="0.9.8h"/>
5981 <affects base="0.9.8" version="0.9.8i"/>
5982 <affects base="0.9.8" version="0.9.8j"/>
5983 <affects base="0.9.8" version="0.9.8k"/>
5984 <affects base="0.9.8" version="0.9.8l"/>
5985 <fixed base="0.9.8" version="0.9.8m" date="20100120"/>
5986 <reported source="Robin Seggelmann"/>
5988 Fix denial of service flaw due in the DTLS implementation. A
5989 remote attacker could use this flaw to cause a DTLS server to crash.
5993 <issue public="20090512">
5994 <cve name="2009-1377"/>
5995 <advisory url="https://rt.openssl.org/Ticket/Display.html?id=1930&user=guest&pass=guest"/>
5996 <affects base="0.9.8" version="0.9.8"/>
5997 <affects base="0.9.8" version="0.9.8a"/>
5998 <affects base="0.9.8" version="0.9.8b"/>
5999 <affects base="0.9.8" version="0.9.8c"/>
6000 <affects base="0.9.8" version="0.9.8d"/>
6001 <affects base="0.9.8" version="0.9.8e"/>
6002 <affects base="0.9.8" version="0.9.8f"/>
6003 <affects base="0.9.8" version="0.9.8g"/>
6004 <affects base="0.9.8" version="0.9.8h"/>
6005 <affects base="0.9.8" version="0.9.8i"/>
6006 <affects base="0.9.8" version="0.9.8j"/>
6007 <affects base="0.9.8" version="0.9.8k"/>
6008 <affects base="0.9.8" version="0.9.8l"/>
6009 <fixed base="0.9.8" version="0.9.8m" date="20100120">
6010 <git hash="88b48dc68024dcc437da4296c9fb04419b0ccbe1"/>
6012 <reported source="Daniel Mentz, Robin Seggelmann"/>
6014 Fix a denial of service flaw in the DTLS implementation.
6015 Records are buffered if they arrive with a future epoch to be
6016 processed after finishing the corresponding handshake. There is
6017 currently no limitation to this buffer allowing an attacker to perform
6018 a DOS attack to a DTLS server by sending records with future epochs until there is no
6023 <issue public="20090512">
6024 <cve name="2009-1378"/>
6025 <advisory url="https://rt.openssl.org/Ticket/Display.html?id=1931&user=guest&pass=guest"/>
6026 <affects base="0.9.8" version="0.9.8"/>
6027 <affects base="0.9.8" version="0.9.8a"/>
6028 <affects base="0.9.8" version="0.9.8b"/>
6029 <affects base="0.9.8" version="0.9.8c"/>
6030 <affects base="0.9.8" version="0.9.8d"/>
6031 <affects base="0.9.8" version="0.9.8e"/>
6032 <affects base="0.9.8" version="0.9.8f"/>
6033 <affects base="0.9.8" version="0.9.8g"/>
6034 <affects base="0.9.8" version="0.9.8h"/>
6035 <affects base="0.9.8" version="0.9.8i"/>
6036 <affects base="0.9.8" version="0.9.8j"/>
6037 <affects base="0.9.8" version="0.9.8k"/>
6038 <affects base="0.9.8" version="0.9.8l"/>
6039 <fixed base="0.9.8" version="0.9.8m" date="20100120">
6040 <git hash="abda7c114791fa7fe95672ec7a66fc4733c40dbc"/>
6042 <reported source="Daniel Mentz, Robin Seggelmann"/>
6044 Fix a denial of service flaw in the DTLS implementation.
6045 In dtls1_process_out_of_seq_message() the check if the current message
6046 is already buffered was missing. For every new message was memory
6047 allocated, allowing an attacker to perform an denial of service attack
6048 against a DTLS server by sending out of seq handshake messages until there is no memory
6053 <issue public="20090512">
6054 <cve name="2009-1379"/>
6055 <advisory url="https://rt.openssl.org/Ticket/Display.html?id=1923&user=guest&pass=guest"/>
6056 <affects base="0.9.8" version="0.9.8"/>
6057 <affects base="0.9.8" version="0.9.8a"/>
6058 <affects base="0.9.8" version="0.9.8b"/>
6059 <affects base="0.9.8" version="0.9.8c"/>
6060 <affects base="0.9.8" version="0.9.8d"/>
6061 <affects base="0.9.8" version="0.9.8e"/>
6062 <affects base="0.9.8" version="0.9.8f"/>
6063 <affects base="0.9.8" version="0.9.8g"/>
6064 <affects base="0.9.8" version="0.9.8h"/>
6065 <affects base="0.9.8" version="0.9.8i"/>
6066 <affects base="0.9.8" version="0.9.8j"/>
6067 <affects base="0.9.8" version="0.9.8k"/>
6068 <affects base="0.9.8" version="0.9.8l"/>
6069 <fixed base="0.9.8" version="0.9.8m" date="20100120">
6070 <git hash="561cbe567846a376153bea7f1f2d061e78029c2d"/>
6072 <reported source="Daniel Mentz, Robin Seggelmann"/>
6074 Use-after-free vulnerability in the dtls1_retrieve_buffered_fragment
6075 function could cause a client accessing a malicious DTLS server to
6080 <issue public="20100113">
6081 <cve name="2009-4355"/>
6082 <affects base="0.9.8" version="0.9.8"/>
6083 <affects base="0.9.8" version="0.9.8a"/>
6084 <affects base="0.9.8" version="0.9.8b"/>
6085 <affects base="0.9.8" version="0.9.8c"/>
6086 <affects base="0.9.8" version="0.9.8d"/>
6087 <affects base="0.9.8" version="0.9.8e"/>
6088 <affects base="0.9.8" version="0.9.8f"/>
6089 <affects base="0.9.8" version="0.9.8g"/>
6090 <affects base="0.9.8" version="0.9.8h"/>
6091 <affects base="0.9.8" version="0.9.8i"/>
6092 <affects base="0.9.8" version="0.9.8j"/>
6093 <affects base="0.9.8" version="0.9.8k"/>
6094 <affects base="0.9.8" version="0.9.8l"/>
6095 <fixed base="0.9.8" version="0.9.8m" date="20100120">
6096 <git hash="1b31b5ad560b16e2fe1cad54a755e3e6b5e778a3"/>
6098 <reported source="Michael K Johnson and Andy Grimm (rPath)"/>
6100 A memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c
6101 allows remote attackers to cause a denial of service
6102 via vectors that trigger incorrect calls to the CRYPTO_cleanup_all_ex_data
6107 <issue public="20100223">
6108 <cve name="2009-3245"/>
6109 <affects base="0.9.8" version="0.9.8"/>
6110 <affects base="0.9.8" version="0.9.8a"/>
6111 <affects base="0.9.8" version="0.9.8b"/>
6112 <affects base="0.9.8" version="0.9.8c"/>
6113 <affects base="0.9.8" version="0.9.8d"/>
6114 <affects base="0.9.8" version="0.9.8e"/>
6115 <affects base="0.9.8" version="0.9.8f"/>
6116 <affects base="0.9.8" version="0.9.8g"/>
6117 <affects base="0.9.8" version="0.9.8h"/>
6118 <affects base="0.9.8" version="0.9.8i"/>
6119 <affects base="0.9.8" version="0.9.8j"/>
6120 <affects base="0.9.8" version="0.9.8k"/>
6121 <affects base="0.9.8" version="0.9.8l"/>
6122 <fixed base="0.9.8" version="0.9.8m" date="20100120">
6123 <git hash="7e4cae1d2f555cbe9226b377aff4b56c9f7ddd4d"/>
6125 <reported source="Martin Olsson, Neel Mehta"/>
6127 It was discovered that OpenSSL did not always check the return value of the
6128 bn_wexpand() function. An attacker able to trigger a memory allocation failure
6129 in that function could cause an application using the OpenSSL library to crash
6130 or, possibly, execute arbitrary code
6134 <issue public="20100119">
6135 <cve name="2010-0433"/>
6136 <affects base="0.9.8" version="0.9.8"/>
6137 <affects base="0.9.8" version="0.9.8a"/>
6138 <affects base="0.9.8" version="0.9.8b"/>
6139 <affects base="0.9.8" version="0.9.8c"/>
6140 <affects base="0.9.8" version="0.9.8d"/>
6141 <affects base="0.9.8" version="0.9.8e"/>
6142 <affects base="0.9.8" version="0.9.8f"/>
6143 <affects base="0.9.8" version="0.9.8g"/>
6144 <affects base="0.9.8" version="0.9.8h"/>
6145 <affects base="0.9.8" version="0.9.8i"/>
6146 <affects base="0.9.8" version="0.9.8j"/>
6147 <affects base="0.9.8" version="0.9.8k"/>
6148 <affects base="0.9.8" version="0.9.8l"/>
6149 <affects base="0.9.8" version="0.9.8m"/>
6150 <fixed base="0.9.8" version="0.9.8n" date="20100324">
6151 <git hash="cca1cd9a3447dd067503e4a85ebd1679ee78a48e"/>
6153 <reported source="Todd Rinaldo, Tomas Hoger (Red Hat)"/>
6155 A missing return value check flaw was discovered in OpenSSL, that could
6156 possibly cause OpenSSL to call a Kerberos library function with invalid
6157 arguments, resulting in a NULL pointer dereference crash in the MIT
6158 Kerberos library. In certain configurations, a remote attacker could use
6159 this flaw to crash a TLS/SSL server using OpenSSL by requesting Kerberos
6160 cipher suites during the TLS handshake
6164 <issue public="20100324">
6165 <cve name="2010-0740"/>
6166 <affects base="0.9.8" version="0.9.8f"/>
6167 <affects base="0.9.8" version="0.9.8g"/>
6168 <affects base="0.9.8" version="0.9.8h"/>
6169 <affects base="0.9.8" version="0.9.8i"/>
6170 <affects base="0.9.8" version="0.9.8j"/>
6171 <affects base="0.9.8" version="0.9.8k"/>
6172 <affects base="0.9.8" version="0.9.8l"/>
6173 <affects base="0.9.8" version="0.9.8m"/>
6174 <fixed base="0.9.8" version="0.9.8n" date="20100324"/>
6175 <advisory url="/news/secadv/20100324.txt"/>
6176 <reported source="Bodo Moeller and Adam Langley (Google)"/>
6178 In TLS connections, certain incorrectly formatted records can cause an
6179 OpenSSL client or server to crash due to a read attempt at NULL.
6183 <issue public="20100601">
6184 <cve name="2010-0742"/>
6185 <affects base="1.0.0" version="1.0.0"/>
6186 <affects base="0.9.8" version="0.9.8h"/>
6187 <affects base="0.9.8" version="0.9.8i"/>
6188 <affects base="0.9.8" version="0.9.8j"/>
6189 <affects base="0.9.8" version="0.9.8k"/>
6190 <affects base="0.9.8" version="0.9.8l"/>
6191 <affects base="0.9.8" version="0.9.8m"/>
6192 <affects base="0.9.8" version="0.9.8n"/>
6193 <fixed base="0.9.8" version="0.9.8o" date="20100601"/>
6194 <fixed base="1.0.0" version="1.0.0a" date="20100601"/>
6195 <advisory url="/news/secadv/20100601.txt"/>
6196 <reported source="Ronald Moesbergen"/>
6198 A flaw in the handling of CMS structures containing OriginatorInfo was found which
6199 could lead to a write to invalid memory address or double free. CMS support is
6200 disabled by default in OpenSSL 0.9.8 versions.
6204 <issue public="20100601">
6205 <cve name="2010-1633"/>
6206 <affects base="1.0.0" version="1.0.0"/>
6207 <fixed base="1.0.0" version="1.0.0a" date="20100601"/>
6208 <advisory url="/news/secadv/20100601.txt"/>
6209 <reported source="Peter-Michael Hager"/>
6211 An invalid Return value check in pkey_rsa_verifyrecover was
6212 discovered. When verification recovery fails for RSA keys an
6213 uninitialised buffer with an undefined length is returned instead of
6214 an error code. This could lead to an information leak.
6218 <issue public="20101116">
6219 <cve name="2010-3864"/>
6220 <affects base="0.9.8" version="0.9.8"/>
6221 <affects base="0.9.8" version="0.9.8a"/>
6222 <affects base="0.9.8" version="0.9.8b"/>
6223 <affects base="0.9.8" version="0.9.8c"/>
6224 <affects base="0.9.8" version="0.9.8d"/>
6225 <affects base="0.9.8" version="0.9.8e"/>
6226 <affects base="0.9.8" version="0.9.8f"/>
6227 <affects base="0.9.8" version="0.9.8g"/>
6228 <affects base="0.9.8" version="0.9.8h"/>
6229 <affects base="0.9.8" version="0.9.8i"/>
6230 <affects base="0.9.8" version="0.9.8j"/>
6231 <affects base="0.9.8" version="0.9.8k"/>
6232 <affects base="0.9.8" version="0.9.8l"/>
6233 <affects base="0.9.8" version="0.9.8m"/>
6234 <affects base="0.9.8" version="0.9.8n"/>
6235 <affects base="0.9.8" version="0.9.8o"/>
6236 <affects base="1.0.0" version="1.0.0"/>
6237 <affects base="1.0.0" version="1.0.0a"/>
6238 <fixed base="1.0.0" version="1.0.0b" date="20101116"/>
6239 <fixed base="0.9.8" version="0.9.8p" date="20101116"/>
6240 <advisory url="/news/secadv/20101116.txt"/>
6241 <reported source="Rob Hulswit"/>
6244 A flaw in the OpenSSL TLS server extension code parsing which on
6245 affected servers can be exploited in a buffer overrun attack. Any
6246 OpenSSL based TLS server is vulnerable if it is multi-threaded and
6247 uses OpenSSL's internal caching mechanism. Servers that are
6248 multi-process and/or disable internal session caching are NOT
6254 <issue public="20101202">
6255 <cve name="2010-4252"/>
6256 <affects base="1.0.0" version="1.0.0"/>
6257 <affects base="1.0.0" version="1.0.0a"/>
6258 <affects base="1.0.0" version="1.0.0b"/>
6259 <fixed base="1.0.0" version="1.0.0c" date="20101202"/>
6260 <advisory url="/news/secadv/20101202.txt"/>
6261 <reported source="Sebastian Martini"/>
6263 An error in OpenSSL's experimental J-PAKE implementation which could
6264 lead to successful validation by someone with no knowledge of the
6265 shared secret. The OpenSSL Team still consider the implementation of
6266 J-PAKE to be experimental and is not compiled by default.
6270 <issue public="20101202">
6271 <cve name="2010-4180"/>
6272 <affects base="0.9.8" version="0.9.8"/>
6273 <affects base="0.9.8" version="0.9.8a"/>
6274 <affects base="0.9.8" version="0.9.8b"/>
6275 <affects base="0.9.8" version="0.9.8c"/>
6276 <affects base="0.9.8" version="0.9.8d"/>
6277 <affects base="0.9.8" version="0.9.8e"/>
6278 <affects base="0.9.8" version="0.9.8f"/>
6279 <affects base="0.9.8" version="0.9.8g"/>
6280 <affects base="0.9.8" version="0.9.8h"/>
6281 <affects base="0.9.8" version="0.9.8i"/>
6282 <affects base="0.9.8" version="0.9.8j"/>
6283 <affects base="0.9.8" version="0.9.8k"/>
6284 <affects base="0.9.8" version="0.9.8l"/>
6285 <affects base="0.9.8" version="0.9.8m"/>
6286 <affects base="0.9.8" version="0.9.8n"/>
6287 <affects base="0.9.8" version="0.9.8o"/>
6288 <affects base="0.9.8" version="0.9.8p"/>
6289 <affects base="1.0.0" version="1.0.0"/>
6290 <affects base="1.0.0" version="1.0.0a"/>
6291 <affects base="1.0.0" version="1.0.0b"/>
6292 <fixed base="1.0.0" version="1.0.0c" date="20101202"/>
6293 <fixed base="0.9.8" version="0.9.8q" date="20101202"/>
6294 <advisory url="/news/secadv/20101202.txt"/>
6295 <reported source="Martin Rex"/>
6297 A flaw in the OpenSSL SSL/TLS server code where an old bug workaround
6298 allows malicious clients to modify the stored session cache
6299 ciphersuite. In some cases the ciphersuite can be downgraded to a
6300 weaker one on subsequent connections. This issue only affects OpenSSL
6301 based SSL/TLS server if it uses OpenSSL's internal caching mechanisms
6302 and the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG flag (many
6303 applications enable this by using the SSL_OP_ALL option).
6307 <issue public="20110906">
6308 <cve name="2011-3207"/>
6309 <affects base="1.0.0" version="1.0.0"/>
6310 <affects base="1.0.0" version="1.0.0a"/>
6311 <affects base="1.0.0" version="1.0.0b"/>
6312 <affects base="1.0.0" version="1.0.0c"/>
6313 <affects base="1.0.0" version="1.0.0d"/>
6314 <fixed base="1.0.0" version="1.0.0e" date="20110906"/>
6315 <advisory url="/news/secadv/20110906.txt"/>
6316 <reported source="Kaspar Brand"/>
6318 Under certain circumstances OpenSSL's internal certificate
6319 verification routines can incorrectly accept a CRL whose nextUpdate
6320 field is in the past. Applications are only affected by the CRL
6321 checking vulnerability if they enable OpenSSL's internal CRL checking
6322 which is off by default. Applications which use their own custom CRL
6323 checking (such as Apache) are not affected.
6327 <issue public="20110906">
6328 <cve name="2011-3210"/>
6329 <affects base="0.9.8" version="0.9.8"/>
6330 <affects base="0.9.8" version="0.9.8a"/>
6331 <affects base="0.9.8" version="0.9.8b"/>
6332 <affects base="0.9.8" version="0.9.8c"/>
6333 <affects base="0.9.8" version="0.9.8d"/>
6334 <affects base="0.9.8" version="0.9.8e"/>
6335 <affects base="0.9.8" version="0.9.8f"/>
6336 <affects base="0.9.8" version="0.9.8g"/>
6337 <affects base="0.9.8" version="0.9.8h"/>
6338 <affects base="0.9.8" version="0.9.8i"/>
6339 <affects base="0.9.8" version="0.9.8j"/>
6340 <affects base="0.9.8" version="0.9.8k"/>
6341 <affects base="0.9.8" version="0.9.8l"/>
6342 <affects base="0.9.8" version="0.9.8m"/>
6343 <affects base="0.9.8" version="0.9.8n"/>
6344 <affects base="0.9.8" version="0.9.8o"/>
6345 <affects base="0.9.8" version="0.9.8p"/>
6346 <affects base="0.9.8" version="0.9.8q"/>
6347 <affects base="0.9.8" version="0.9.8r"/>
6348 <affects base="1.0.0" version="1.0.0"/>
6349 <affects base="1.0.0" version="1.0.0a"/>
6350 <affects base="1.0.0" version="1.0.0b"/>
6351 <affects base="1.0.0" version="1.0.0c"/>
6352 <affects base="1.0.0" version="1.0.0d"/>
6353 <fixed base="1.0.0" version="1.0.0e" date="20110906"/>
6354 <advisory url="/news/secadv/20110906.txt"/>
6355 <reported source="Adam Langley"/>
6357 OpenSSL server code for ephemeral ECDH ciphersuites is not
6358 thread-safe, and furthermore can crash if a client violates the
6359 protocol by sending handshake messages in incorrect order. Only
6360 server-side applications that specifically support ephemeral ECDH
6361 ciphersuites are affected, and only if ephemeral ECDH ciphersuites are
6362 enabled in the configuration.
6366 <issue public="20120104">
6367 <cve name="2011-4108"/>
6368 <affects base="0.9.8" version="0.9.8"/>
6369 <affects base="0.9.8" version="0.9.8a"/>
6370 <affects base="0.9.8" version="0.9.8b"/>
6371 <affects base="0.9.8" version="0.9.8c"/>
6372 <affects base="0.9.8" version="0.9.8d"/>
6373 <affects base="0.9.8" version="0.9.8e"/>
6374 <affects base="0.9.8" version="0.9.8f"/>
6375 <affects base="0.9.8" version="0.9.8g"/>
6376 <affects base="0.9.8" version="0.9.8h"/>
6377 <affects base="0.9.8" version="0.9.8i"/>
6378 <affects base="0.9.8" version="0.9.8j"/>
6379 <affects base="0.9.8" version="0.9.8k"/>
6380 <affects base="0.9.8" version="0.9.8l"/>
6381 <affects base="0.9.8" version="0.9.8m"/>
6382 <affects base="0.9.8" version="0.9.8n"/>
6383 <affects base="0.9.8" version="0.9.8o"/>
6384 <affects base="0.9.8" version="0.9.8p"/>
6385 <affects base="0.9.8" version="0.9.8q"/>
6386 <affects base="0.9.8" version="0.9.8r"/>
6387 <affects base="1.0.0" version="1.0.0"/>
6388 <affects base="1.0.0" version="1.0.0a"/>
6389 <affects base="1.0.0" version="1.0.0b"/>
6390 <affects base="1.0.0" version="1.0.0c"/>
6391 <affects base="1.0.0" version="1.0.0d"/>
6392 <affects base="1.0.0" version="1.0.0e"/>
6393 <fixed base="1.0.0" version="1.0.0f" date="20120104"/>
6394 <fixed base="0.9.8" version="0.9.8s" date="20120104"/>
6395 <advisory url="/news/secadv/20120104.txt"/>
6396 <reported source="Nadhem Alfardan and Kenny Paterson"/>
6398 OpenSSL was susceptable an extension of the
6399 Vaudenay padding oracle attack on CBC mode encryption which enables an
6400 efficient plaintext recovery attack against the OpenSSL implementation
6401 of DTLS by exploiting timing differences arising during
6402 decryption processing.
6406 <issue public="20120104">
6407 <cve name="2011-4109"/>
6408 <affects base="0.9.8" version="0.9.8"/>
6409 <affects base="0.9.8" version="0.9.8a"/>
6410 <affects base="0.9.8" version="0.9.8b"/>
6411 <affects base="0.9.8" version="0.9.8c"/>
6412 <affects base="0.9.8" version="0.9.8d"/>
6413 <affects base="0.9.8" version="0.9.8e"/>
6414 <affects base="0.9.8" version="0.9.8f"/>
6415 <affects base="0.9.8" version="0.9.8g"/>
6416 <affects base="0.9.8" version="0.9.8h"/>
6417 <affects base="0.9.8" version="0.9.8i"/>
6418 <affects base="0.9.8" version="0.9.8j"/>
6419 <affects base="0.9.8" version="0.9.8k"/>
6420 <affects base="0.9.8" version="0.9.8l"/>
6421 <affects base="0.9.8" version="0.9.8m"/>
6422 <affects base="0.9.8" version="0.9.8n"/>
6423 <affects base="0.9.8" version="0.9.8o"/>
6424 <affects base="0.9.8" version="0.9.8p"/>
6425 <affects base="0.9.8" version="0.9.8q"/>
6426 <affects base="0.9.8" version="0.9.8r"/>
6427 <fixed base="0.9.8" version="0.9.8s" date="20120104"/>
6428 <advisory url="/news/secadv/20120104.txt"/>
6429 <reported source="Ben Laurie"/>
6431 If X509_V_FLAG_POLICY_CHECK is set in OpenSSL 0.9.8, then a policy
6432 check failure can lead to a double-free. The bug does not occur
6433 unless this flag is set. Users of OpenSSL 1.0.0 are not affected
6437 <issue public="20120104">
6438 <cve name="2011-4576"/>
6439 <affects base="0.9.8" version="0.9.8"/>
6440 <affects base="0.9.8" version="0.9.8a"/>
6441 <affects base="0.9.8" version="0.9.8b"/>
6442 <affects base="0.9.8" version="0.9.8c"/>
6443 <affects base="0.9.8" version="0.9.8d"/>
6444 <affects base="0.9.8" version="0.9.8e"/>
6445 <affects base="0.9.8" version="0.9.8f"/>
6446 <affects base="0.9.8" version="0.9.8g"/>
6447 <affects base="0.9.8" version="0.9.8h"/>
6448 <affects base="0.9.8" version="0.9.8i"/>
6449 <affects base="0.9.8" version="0.9.8j"/>
6450 <affects base="0.9.8" version="0.9.8k"/>
6451 <affects base="0.9.8" version="0.9.8l"/>
6452 <affects base="0.9.8" version="0.9.8m"/>
6453 <affects base="0.9.8" version="0.9.8n"/>
6454 <affects base="0.9.8" version="0.9.8o"/>
6455 <affects base="0.9.8" version="0.9.8p"/>
6456 <affects base="0.9.8" version="0.9.8q"/>
6457 <affects base="0.9.8" version="0.9.8r"/>
6458 <affects base="1.0.0" version="1.0.0"/>
6459 <affects base="1.0.0" version="1.0.0a"/>
6460 <affects base="1.0.0" version="1.0.0b"/>
6461 <affects base="1.0.0" version="1.0.0c"/>
6462 <affects base="1.0.0" version="1.0.0d"/>
6463 <affects base="1.0.0" version="1.0.0e"/>
6464 <fixed base="1.0.0" version="1.0.0f" date="20120104"/>
6465 <fixed base="0.9.8" version="0.9.8s" date="20120104"/>
6466 <advisory url="/news/secadv/20120104.txt"/>
6467 <reported source="Adam Langley"/>
6469 OpenSSL failed to clear the bytes used as
6470 block cipher padding in SSL 3.0 records which could leak
6471 the contents of memory in some circumstances.
6475 <issue public="20120104">
6476 <cve name="2011-4577"/>
6477 <affects base="0.9.8" version="0.9.8"/>
6478 <affects base="0.9.8" version="0.9.8a"/>
6479 <affects base="0.9.8" version="0.9.8b"/>
6480 <affects base="0.9.8" version="0.9.8c"/>
6481 <affects base="0.9.8" version="0.9.8d"/>
6482 <affects base="0.9.8" version="0.9.8e"/>
6483 <affects base="0.9.8" version="0.9.8f"/>
6484 <affects base="0.9.8" version="0.9.8g"/>
6485 <affects base="0.9.8" version="0.9.8h"/>
6486 <affects base="0.9.8" version="0.9.8i"/>
6487 <affects base="0.9.8" version="0.9.8j"/>
6488 <affects base="0.9.8" version="0.9.8k"/>
6489 <affects base="0.9.8" version="0.9.8l"/>
6490 <affects base="0.9.8" version="0.9.8m"/>
6491 <affects base="0.9.8" version="0.9.8n"/>
6492 <affects base="0.9.8" version="0.9.8o"/>
6493 <affects base="0.9.8" version="0.9.8p"/>
6494 <affects base="0.9.8" version="0.9.8q"/>
6495 <affects base="0.9.8" version="0.9.8r"/>
6496 <affects base="1.0.0" version="1.0.0"/>
6497 <affects base="1.0.0" version="1.0.0a"/>
6498 <affects base="1.0.0" version="1.0.0b"/>
6499 <affects base="1.0.0" version="1.0.0c"/>
6500 <affects base="1.0.0" version="1.0.0d"/>
6501 <affects base="1.0.0" version="1.0.0e"/>
6502 <fixed base="1.0.0" version="1.0.0f" date="20120104"/>
6503 <fixed base="0.9.8" version="0.9.8s" date="20120104"/>
6504 <advisory url="/news/secadv/20120104.txt"/>
6505 <reported source="Andrew Chi"/>
6507 RFC 3779 data can be included in certificates, and if it is malformed,
6508 may trigger an assertion failure. This could be used in a
6509 denial-of-service attack. Builds of OpenSSL are only vulnerable if configured with
6510 "enable-rfc3779", which is not a default.
6514 <issue public="20120104">
6515 <cve name="2011-4619"/>
6516 <affects base="0.9.8" version="0.9.8"/>
6517 <affects base="0.9.8" version="0.9.8a"/>
6518 <affects base="0.9.8" version="0.9.8b"/>
6519 <affects base="0.9.8" version="0.9.8c"/>
6520 <affects base="0.9.8" version="0.9.8d"/>
6521 <affects base="0.9.8" version="0.9.8e"/>
6522 <affects base="0.9.8" version="0.9.8f"/>
6523 <affects base="0.9.8" version="0.9.8g"/>
6524 <affects base="0.9.8" version="0.9.8h"/>
6525 <affects base="0.9.8" version="0.9.8i"/>
6526 <affects base="0.9.8" version="0.9.8j"/>
6527 <affects base="0.9.8" version="0.9.8k"/>
6528 <affects base="0.9.8" version="0.9.8l"/>
6529 <affects base="0.9.8" version="0.9.8m"/>
6530 <affects base="0.9.8" version="0.9.8n"/>
6531 <affects base="0.9.8" version="0.9.8o"/>
6532 <affects base="0.9.8" version="0.9.8p"/>
6533 <affects base="0.9.8" version="0.9.8q"/>
6534 <affects base="0.9.8" version="0.9.8r"/>
6535 <affects base="1.0.0" version="1.0.0"/>
6536 <affects base="1.0.0" version="1.0.0a"/>
6537 <affects base="1.0.0" version="1.0.0b"/>
6538 <affects base="1.0.0" version="1.0.0c"/>
6539 <affects base="1.0.0" version="1.0.0d"/>
6540 <affects base="1.0.0" version="1.0.0e"/>
6541 <fixed base="1.0.0" version="1.0.0f" date="20120104"/>
6542 <fixed base="0.9.8" version="0.9.8s" date="20120104"/>
6543 <advisory url="/news/secadv/20120104.txt"/>
6544 <reported source="George Kadianakis"/>
6546 Support for handshake restarts for server gated cryptograpy (SGC) can
6547 be used in a denial-of-service attack.
6551 <issue public="20120104">
6552 <cve name="2012-0027"/>
6553 <affects base="1.0.0" version="1.0.0"/>
6554 <affects base="1.0.0" version="1.0.0a"/>
6555 <affects base="1.0.0" version="1.0.0b"/>
6556 <affects base="1.0.0" version="1.0.0c"/>
6557 <affects base="1.0.0" version="1.0.0d"/>
6558 <affects base="1.0.0" version="1.0.0e"/>
6559 <fixed base="1.0.0" version="1.0.0f" date="20120104"/>
6560 <advisory url="/news/secadv/20120104.txt"/>
6561 <reported source="Andrey Kulikov"/>
6563 A malicious TLS client can send an invalid set of GOST parameters
6564 which will cause the server to crash due to lack of error checking.
6565 This could be used in a denial-of-service attack.
6566 Only users of the OpenSSL GOST ENGINE are affected by this bug.
6570 <issue public="20120104">
6571 <cve name="2012-0050"/>
6572 <affects base="0.9.8" version="0.9.8s"/>
6573 <affects base="1.0.0" version="1.0.0f"/>
6574 <fixed base="1.0.0" version="1.0.0g" date="20120118"/>
6575 <fixed base="0.9.8" version="0.9.8t" date="20120118"/>
6576 <advisory url="/news/secadv/20120118.txt"/>
6577 <reported source="Antonio Martin"/>
6579 A flaw in the fix to CVE-2011-4108 can be exploited in a denial of
6580 service attack. Only DTLS applications are affected.
6584 <issue public="20120312">
6585 <cve name="2012-0884"/>
6586 <affects base="0.9.8" version="0.9.8"/>
6587 <affects base="0.9.8" version="0.9.8a"/>
6588 <affects base="0.9.8" version="0.9.8b"/>
6589 <affects base="0.9.8" version="0.9.8c"/>
6590 <affects base="0.9.8" version="0.9.8d"/>
6591 <affects base="0.9.8" version="0.9.8e"/>
6592 <affects base="0.9.8" version="0.9.8f"/>
6593 <affects base="0.9.8" version="0.9.8g"/>
6594 <affects base="0.9.8" version="0.9.8h"/>
6595 <affects base="0.9.8" version="0.9.8i"/>
6596 <affects base="0.9.8" version="0.9.8j"/>
6597 <affects base="0.9.8" version="0.9.8k"/>
6598 <affects base="0.9.8" version="0.9.8l"/>
6599 <affects base="0.9.8" version="0.9.8m"/>
6600 <affects base="0.9.8" version="0.9.8n"/>
6601 <affects base="0.9.8" version="0.9.8o"/>
6602 <affects base="0.9.8" version="0.9.8p"/>
6603 <affects base="0.9.8" version="0.9.8q"/>
6604 <affects base="0.9.8" version="0.9.8r"/>
6605 <affects base="0.9.8" version="0.9.8s"/>
6606 <affects base="0.9.8" version="0.9.8t"/>
6607 <affects base="1.0.0" version="1.0.0"/>
6608 <affects base="1.0.0" version="1.0.0a"/>
6609 <affects base="1.0.0" version="1.0.0b"/>
6610 <affects base="1.0.0" version="1.0.0c"/>
6611 <affects base="1.0.0" version="1.0.0d"/>
6612 <affects base="1.0.0" version="1.0.0e"/>
6613 <affects base="1.0.0" version="1.0.0f"/>
6614 <affects base="1.0.0" version="1.0.0g"/>
6615 <fixed base="1.0.0" version="1.0.0h" date="20120312"/>
6616 <fixed base="0.9.8" version="0.9.8u" date="20120312"/>
6617 <advisory url="/news/secadv/20120312.txt"/>
6618 <reported source="Ivan Nestlerode"/>
6620 A weakness in the OpenSSL CMS and PKCS #7 code can be exploited
6621 using Bleichenbacher's attack on PKCS #1 v1.5 RSA padding
6622 also known as the million message attack (MMA).
6623 Only users of CMS, PKCS #7, or S/MIME decryption operations are affected,
6624 SSL/TLS applications are not affected by this issue.
6629 <issue public="20110208">
6630 <cve name="2011-0014"/>
6631 <affects base="0.9.8" version="0.9.8h"/>
6632 <affects base="0.9.8" version="0.9.8i"/>
6633 <affects base="0.9.8" version="0.9.8j"/>
6634 <affects base="0.9.8" version="0.9.8k"/>
6635 <affects base="0.9.8" version="0.9.8l"/>
6636 <affects base="0.9.8" version="0.9.8m"/>
6637 <affects base="0.9.8" version="0.9.8n"/>
6638 <affects base="0.9.8" version="0.9.8o"/>
6639 <affects base="0.9.8" version="0.9.8p"/>
6640 <affects base="0.9.8" version="0.9.8q"/>
6641 <affects base="1.0.0" version="1.0.0"/>
6642 <affects base="1.0.0" version="1.0.0a"/>
6643 <affects base="1.0.0" version="1.0.0b"/>
6644 <affects base="1.0.0" version="1.0.0c"/>
6645 <fixed base="1.0.0" version="1.0.0d" date="20110208"/>
6646 <fixed base="0.9.8" version="0.9.8r" date="20110208"/>
6647 <advisory url="/news/secadv/20110208.txt"/>
6648 <reported source="Neel Mehta"/>
6650 A buffer over-read flaw was discovered in the way OpenSSL parsed the
6651 Certificate Status Request TLS extensions in ClientHello TLS handshake
6652 messages. A remote attacker could possibly use this flaw to crash an SSL
6653 server using the affected OpenSSL functionality.
6657 <issue public="20120424">
6658 <cve name="2012-2131"/>
6659 <affects base="0.9.8" version="0.9.8v"/>
6660 <fixed base="0.9.8" version="0.9.8w" date="20120424"/>
6661 <advisory url="/news/secadv/20120424.txt"/>
6662 <reported source="Red Hat"/>
6664 It was discovered that the fix for CVE-2012-2110 released on 19 Apr
6665 2012 was not sufficient to correct the issue for OpenSSL 0.9.8. This
6666 issue only affects OpenSSL 0.9.8v. OpenSSL 1.0.1a and 1.0.0i already
6667 contain a patch sufficient to correct CVE-2012-2110.
6672 <issue public="20120419">
6673 <cve name="2012-2110"/>
6674 <affects base="0.9.8" version="0.9.8"/>
6675 <affects base="0.9.8" version="0.9.8a"/>
6676 <affects base="0.9.8" version="0.9.8b"/>
6677 <affects base="0.9.8" version="0.9.8c"/>
6678 <affects base="0.9.8" version="0.9.8d"/>
6679 <affects base="0.9.8" version="0.9.8e"/>
6680 <affects base="0.9.8" version="0.9.8f"/>
6681 <affects base="0.9.8" version="0.9.8g"/>
6682 <affects base="0.9.8" version="0.9.8h"/>
6683 <affects base="0.9.8" version="0.9.8i"/>
6684 <affects base="0.9.8" version="0.9.8j"/>
6685 <affects base="0.9.8" version="0.9.8k"/>
6686 <affects base="0.9.8" version="0.9.8l"/>
6687 <affects base="0.9.8" version="0.9.8m"/>
6688 <affects base="0.9.8" version="0.9.8n"/>
6689 <affects base="0.9.8" version="0.9.8o"/>
6690 <affects base="0.9.8" version="0.9.8p"/>
6691 <affects base="0.9.8" version="0.9.8q"/>
6692 <affects base="0.9.8" version="0.9.8r"/>
6693 <affects base="0.9.8" version="0.9.8s"/>
6694 <affects base="0.9.8" version="0.9.8t"/>
6695 <affects base="0.9.8" version="0.9.8u"/>
6696 <affects base="1.0.0" version="1.0.0"/>
6697 <affects base="1.0.0" version="1.0.0a"/>
6698 <affects base="1.0.0" version="1.0.0b"/>
6699 <affects base="1.0.0" version="1.0.0c"/>
6700 <affects base="1.0.0" version="1.0.0d"/>
6701 <affects base="1.0.0" version="1.0.0e"/>
6702 <affects base="1.0.0" version="1.0.0f"/>
6703 <affects base="1.0.0" version="1.0.0g"/>
6704 <affects base="1.0.1" version="1.0.1"/>
6705 <fixed base="1.0.1" version="1.0.1a" date="20120419"/>
6706 <fixed base="1.0.0" version="1.0.0i" date="20120419"/>
6707 <fixed base="0.9.8" version="0.9.8v" date="20120419"/>
6708 <advisory url="/news/secadv/20120419.txt"/>
6709 <reported source="Tavis Ormandy"/>
6711 Multiple numeric conversion errors, leading to a buffer overflow, were
6712 found in the way OpenSSL parsed ASN.1 (Abstract Syntax Notation One) data
6713 from BIO (OpenSSL's I/O abstraction) inputs. Specially-crafted DER
6714 (Distinguished Encoding Rules) encoded data read from a file or other BIO
6715 input could cause an application using the OpenSSL library to crash or,
6716 potentially, execute arbitrary code.
6720 <issue public="20120510">
6721 <cve name="2012-2333"/>
6722 <affects base="0.9.8" version="0.9.8"/>
6723 <affects base="0.9.8" version="0.9.8a"/>
6724 <affects base="0.9.8" version="0.9.8b"/>
6725 <affects base="0.9.8" version="0.9.8c"/>
6726 <affects base="0.9.8" version="0.9.8d"/>
6727 <affects base="0.9.8" version="0.9.8e"/>
6728 <affects base="0.9.8" version="0.9.8f"/>
6729 <affects base="0.9.8" version="0.9.8g"/>
6730 <affects base="0.9.8" version="0.9.8h"/>
6731 <affects base="0.9.8" version="0.9.8i"/>
6732 <affects base="0.9.8" version="0.9.8j"/>
6733 <affects base="0.9.8" version="0.9.8k"/>
6734 <affects base="0.9.8" version="0.9.8l"/>
6735 <affects base="0.9.8" version="0.9.8m"/>
6736 <affects base="0.9.8" version="0.9.8n"/>
6737 <affects base="0.9.8" version="0.9.8o"/>
6738 <affects base="0.9.8" version="0.9.8p"/>
6739 <affects base="0.9.8" version="0.9.8q"/>
6740 <affects base="0.9.8" version="0.9.8r"/>
6741 <affects base="0.9.8" version="0.9.8s"/>
6742 <affects base="0.9.8" version="0.9.8t"/>
6743 <affects base="0.9.8" version="0.9.8u"/>
6744 <affects base="0.9.8" version="0.9.8v"/>
6745 <affects base="0.9.8" version="0.9.8w"/>
6746 <affects base="1.0.0" version="1.0.0"/>
6747 <affects base="1.0.0" version="1.0.0a"/>
6748 <affects base="1.0.0" version="1.0.0b"/>
6749 <affects base="1.0.0" version="1.0.0c"/>
6750 <affects base="1.0.0" version="1.0.0d"/>
6751 <affects base="1.0.0" version="1.0.0e"/>
6752 <affects base="1.0.0" version="1.0.0f"/>
6753 <affects base="1.0.0" version="1.0.0g"/>
6754 <affects base="1.0.0" version="1.0.0i"/>
6755 <affects base="1.0.1" version="1.0.1"/>
6756 <affects base="1.0.1" version="1.0.1a"/>
6757 <affects base="1.0.1" version="1.0.1b"/>
6758 <fixed base="1.0.1" version="1.0.1c" date="20120510"/>
6759 <fixed base="1.0.0" version="1.0.0j" date="20120510"/>
6760 <fixed base="0.9.8" version="0.9.8x" date="20120510"/>
6761 <advisory url="/news/secadv/20120510.txt"/>
6762 <reported source="Codenomicon"/>
6764 An integer underflow flaw, leading to a buffer over-read, was found in
6765 the way OpenSSL handled TLS 1.1, TLS 1.2, and DTLS (Datagram Transport
6766 Layer Security) application data record lengths when using a block
6767 cipher in CBC (cipher-block chaining) mode. A malicious TLS 1.1, TLS
6768 1.2, or DTLS client or server could use this flaw to crash its connection
6773 <issue public="20130204">
6774 <cve name="2013-0169"/>
6775 <affects base="0.9.8" version="0.9.8"/>
6776 <affects base="0.9.8" version="0.9.8a"/>
6777 <affects base="0.9.8" version="0.9.8b"/>
6778 <affects base="0.9.8" version="0.9.8c"/>
6779 <affects base="0.9.8" version="0.9.8d"/>
6780 <affects base="0.9.8" version="0.9.8e"/>
6781 <affects base="0.9.8" version="0.9.8f"/>
6782 <affects base="0.9.8" version="0.9.8g"/>
6783 <affects base="0.9.8" version="0.9.8h"/>
6784 <affects base="0.9.8" version="0.9.8i"/>
6785 <affects base="0.9.8" version="0.9.8j"/>
6786 <affects base="0.9.8" version="0.9.8k"/>
6787 <affects base="0.9.8" version="0.9.8l"/>
6788 <affects base="0.9.8" version="0.9.8m"/>
6789 <affects base="0.9.8" version="0.9.8n"/>
6790 <affects base="0.9.8" version="0.9.8o"/>
6791 <affects base="0.9.8" version="0.9.8p"/>
6792 <affects base="0.9.8" version="0.9.8q"/>
6793 <affects base="0.9.8" version="0.9.8r"/>
6794 <affects base="0.9.8" version="0.9.8s"/>
6795 <affects base="0.9.8" version="0.9.8t"/>
6796 <affects base="0.9.8" version="0.9.8u"/>
6797 <affects base="0.9.8" version="0.9.8v"/>
6798 <affects base="0.9.8" version="0.9.8w"/>
6799 <affects base="0.9.8" version="0.9.8x"/>
6800 <affects base="1.0.0" version="1.0.0"/>
6801 <affects base="1.0.0" version="1.0.0a"/>
6802 <affects base="1.0.0" version="1.0.0b"/>
6803 <affects base="1.0.0" version="1.0.0c"/>
6804 <affects base="1.0.0" version="1.0.0d"/>
6805 <affects base="1.0.0" version="1.0.0e"/>
6806 <affects base="1.0.0" version="1.0.0f"/>
6807 <affects base="1.0.0" version="1.0.0g"/>
6808 <affects base="1.0.0" version="1.0.0i"/>
6809 <affects base="1.0.0" version="1.0.0j"/>
6810 <affects base="1.0.1" version="1.0.1"/>
6811 <affects base="1.0.1" version="1.0.1a"/>
6812 <affects base="1.0.1" version="1.0.1b"/>
6813 <affects base="1.0.1" version="1.0.1c"/>
6814 <fixed base="1.0.1" version="1.0.1d" date="20130205"/>
6815 <fixed base="1.0.0" version="1.0.0k" date="20130205"/>
6816 <fixed base="0.9.8" version="0.9.8y" date="20130205"/>
6817 <advisory url="/news/secadv/20130205.txt"/>
6818 <reported source="Nadhem J. AlFardan and Kenneth G. Paterson of the Information Security Group Royal Holloway, University of London"/>
6820 A weakness in the handling of CBC ciphersuites in SSL, TLS and DTLS which could
6821 lead to plaintext recovery by exploiting timing differences
6822 arising during MAC processing.
6826 <issue public="20130205">
6827 <cve name="2012-2686"/>
6828 <affects base="1.0.1" version="1.0.1"/>
6829 <affects base="1.0.1" version="1.0.1a"/>
6830 <affects base="1.0.1" version="1.0.1b"/>
6831 <affects base="1.0.1" version="1.0.1c"/>
6832 <fixed base="1.0.1" version="1.0.1d" date="20130205"/>
6833 <advisory url="/news/secadv/20130205.txt"/>
6834 <reported source="Adam Langley and Wolfgang Ettlinger"/>
6836 A flaw in the OpenSSL handling of CBC ciphersuites in TLS 1.1 and TLS 1.2 on
6837 AES-NI supporting platforms can be exploited in a DoS attack.
6841 <issue public="20130205">
6842 <cve name="2013-0166"/>
6843 <affects base="0.9.8" version="0.9.8"/>
6844 <affects base="0.9.8" version="0.9.8a"/>
6845 <affects base="0.9.8" version="0.9.8b"/>
6846 <affects base="0.9.8" version="0.9.8c"/>
6847 <affects base="0.9.8" version="0.9.8d"/>
6848 <affects base="0.9.8" version="0.9.8e"/>
6849 <affects base="0.9.8" version="0.9.8f"/>
6850 <affects base="0.9.8" version="0.9.8g"/>
6851 <affects base="0.9.8" version="0.9.8h"/>
6852 <affects base="0.9.8" version="0.9.8i"/>
6853 <affects base="0.9.8" version="0.9.8j"/>
6854 <affects base="0.9.8" version="0.9.8k"/>
6855 <affects base="0.9.8" version="0.9.8l"/>
6856 <affects base="0.9.8" version="0.9.8m"/>
6857 <affects base="0.9.8" version="0.9.8n"/>
6858 <affects base="0.9.8" version="0.9.8o"/>
6859 <affects base="0.9.8" version="0.9.8p"/>
6860 <affects base="0.9.8" version="0.9.8q"/>
6861 <affects base="0.9.8" version="0.9.8r"/>
6862 <affects base="0.9.8" version="0.9.8s"/>
6863 <affects base="0.9.8" version="0.9.8t"/>
6864 <affects base="0.9.8" version="0.9.8u"/>
6865 <affects base="0.9.8" version="0.9.8v"/>
6866 <affects base="0.9.8" version="0.9.8w"/>
6867 <affects base="0.9.8" version="0.9.8x"/>
6868 <affects base="1.0.0" version="1.0.0"/>
6869 <affects base="1.0.0" version="1.0.0a"/>
6870 <affects base="1.0.0" version="1.0.0b"/>
6871 <affects base="1.0.0" version="1.0.0c"/>
6872 <affects base="1.0.0" version="1.0.0d"/>
6873 <affects base="1.0.0" version="1.0.0e"/>
6874 <affects base="1.0.0" version="1.0.0f"/>
6875 <affects base="1.0.0" version="1.0.0g"/>
6876 <affects base="1.0.0" version="1.0.0i"/>
6877 <affects base="1.0.0" version="1.0.0j"/>
6878 <affects base="1.0.1" version="1.0.1"/>
6879 <affects base="1.0.1" version="1.0.1a"/>
6880 <affects base="1.0.1" version="1.0.1b"/>
6881 <affects base="1.0.1" version="1.0.1c"/>
6882 <fixed base="1.0.1" version="1.0.1d" date="20130205"/>
6883 <fixed base="1.0.0" version="1.0.0k" date="20130205"/>
6884 <fixed base="0.9.8" version="0.9.8y" date="20130205"/>
6885 <advisory url="/news/secadv/20130205.txt"/>
6886 <reported source="Stephen Henson"/>
6888 A flaw in the OpenSSL handling of OCSP response verification can be exploited in
6889 a denial of service attack.
6893 <issue public="20131213">
6894 <cve name="2013-6450"/>
6895 <affects base="1.0.0" version="1.0.0"/>
6896 <affects base="1.0.0" version="1.0.0a"/>
6897 <affects base="1.0.0" version="1.0.0b"/>
6898 <affects base="1.0.0" version="1.0.0c"/>
6899 <affects base="1.0.0" version="1.0.0d"/>
6900 <affects base="1.0.0" version="1.0.0e"/>
6901 <affects base="1.0.0" version="1.0.0f"/>
6902 <affects base="1.0.0" version="1.0.0g"/>
6903 <affects base="1.0.0" version="1.0.0i"/>
6904 <affects base="1.0.0" version="1.0.0j"/>
6905 <affects base="1.0.0" version="1.0.0k"/>
6906 <affects base="1.0.1" version="1.0.1"/>
6907 <affects base="1.0.1" version="1.0.1a"/>
6908 <affects base="1.0.1" version="1.0.1b"/>
6909 <affects base="1.0.1" version="1.0.1c"/>
6910 <affects base="1.0.1" version="1.0.1d"/>
6911 <affects base="1.0.1" version="1.0.1e"/>
6912 <fixed base="1.0.1" version="1.0.1f" date="20140106">
6913 <git hash="3462896"/>
6915 <fixed base="1.0.0" version="1.0.0l" date="20140106"/>
6916 <reported source="Dmitry Sobinov"/>
6918 A flaw in DTLS handling can cause an application using OpenSSL and DTLS to crash.
6919 This is not a vulnerability for OpenSSL prior to 1.0.0.
6923 <issue public="20131214">
6924 <cve name="2013-6449"/>
6925 <affects base="1.0.1" version="1.0.1"/>
6926 <affects base="1.0.1" version="1.0.1a"/>
6927 <affects base="1.0.1" version="1.0.1b"/>
6928 <affects base="1.0.1" version="1.0.1c"/>
6929 <affects base="1.0.1" version="1.0.1d"/>
6930 <affects base="1.0.1" version="1.0.1e"/>
6931 <fixed base="1.0.1" version="1.0.1f" date="20140106">
6932 <git hash="ca98926"/>
6934 <reported source="Ron Barber"/>
6936 A flaw in OpenSSL can cause an application using OpenSSL to crash when using TLS version 1.2.
6937 This issue only affected OpenSSL 1.0.1 versions.
6941 <issue public="20140106">
6942 <cve name="2013-4353"/>
6943 <affects base="1.0.1" version="1.0.1"/>
6944 <affects base="1.0.1" version="1.0.1a"/>
6945 <affects base="1.0.1" version="1.0.1b"/>
6946 <affects base="1.0.1" version="1.0.1c"/>
6947 <affects base="1.0.1" version="1.0.1d"/>
6948 <affects base="1.0.1" version="1.0.1e"/>
6949 <fixed base="1.0.1" version="1.0.1f" date="20140106">
6950 <git hash="197e0ea817ad64820789d86711d55ff50d71f631"/>
6952 <reported source="Anton Johansson"/>
6954 A carefully crafted invalid TLS handshake could crash OpenSSL with a NULL pointer exception. A malicious
6955 server could use this flaw to crash a connecting client. This issue only affected OpenSSL 1.0.1 versions.
6959 <issue public="20140214">
6960 <cve name="2014-0076"/>
6961 <advisory url="/news/secadv/20140605.txt"/>
6962 <affects base="0.9.8" version="0.9.8"/>
6963 <affects base="0.9.8" version="0.9.8a"/>
6964 <affects base="0.9.8" version="0.9.8b"/>
6965 <affects base="0.9.8" version="0.9.8c"/>
6966 <affects base="0.9.8" version="0.9.8d"/>
6967 <affects base="0.9.8" version="0.9.8e"/>
6968 <affects base="0.9.8" version="0.9.8f"/>
6969 <affects base="0.9.8" version="0.9.8g"/>
6970 <affects base="0.9.8" version="0.9.8h"/>
6971 <affects base="0.9.8" version="0.9.8i"/>
6972 <affects base="0.9.8" version="0.9.8j"/>
6973 <affects base="0.9.8" version="0.9.8k"/>
6974 <affects base="0.9.8" version="0.9.8l"/>
6975 <affects base="0.9.8" version="0.9.8m"/>
6976 <affects base="0.9.8" version="0.9.8n"/>
6977 <affects base="0.9.8" version="0.9.8o"/>
6978 <affects base="0.9.8" version="0.9.8p"/>
6979 <affects base="0.9.8" version="0.9.8q"/>
6980 <affects base="0.9.8" version="0.9.8r"/>
6981 <affects base="0.9.8" version="0.9.8s"/>
6982 <affects base="0.9.8" version="0.9.8t"/>
6983 <affects base="0.9.8" version="0.9.8u"/>
6984 <affects base="0.9.8" version="0.9.8v"/>
6985 <affects base="0.9.8" version="0.9.8w"/>
6986 <affects base="0.9.8" version="0.9.8x"/>
6987 <affects base="0.9.8" version="0.9.8y"/>
6988 <affects base="1.0.0" version="1.0.0"/>
6989 <affects base="1.0.0" version="1.0.0a"/>
6990 <affects base="1.0.0" version="1.0.0b"/>
6991 <affects base="1.0.0" version="1.0.0c"/>
6992 <affects base="1.0.0" version="1.0.0d"/>
6993 <affects base="1.0.0" version="1.0.0e"/>
6994 <affects base="1.0.0" version="1.0.0f"/>
6995 <affects base="1.0.0" version="1.0.0g"/>
6996 <affects base="1.0.0" version="1.0.0i"/>
6997 <affects base="1.0.0" version="1.0.0j"/>
6998 <affects base="1.0.0" version="1.0.0k"/>
6999 <affects base="1.0.0" version="1.0.0l"/>
7000 <affects base="1.0.1" version="1.0.1"/>
7001 <affects base="1.0.1" version="1.0.1a"/>
7002 <affects base="1.0.1" version="1.0.1b"/>
7003 <affects base="1.0.1" version="1.0.1c"/>
7004 <affects base="1.0.1" version="1.0.1d"/>
7005 <affects base="1.0.1" version="1.0.1e"/>
7006 <affects base="1.0.1" version="1.0.1f"/>
7007 <fixed base="1.0.1" version="1.0.1g" date="20140409">
7008 <git hash="4b7a4ba29cafa432fc4266fe6e59e60bc1c96332"/>
7010 <fixed base="1.0.0" version="1.0.0m" date="20140312">
7011 <git hash="2198be3483259de374f91e57d247d0fc667aef29"/>
7013 <fixed base="0.9.8" version="0.9.8za" date="20140605">
7015 <reported source="Yuval Yarom and Naomi Benger"/>
7017 Fix for the attack described in the paper "Recovering OpenSSL
7018 ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
7022 <issue public="20140407">
7023 <cve name="2014-0160"/>
7024 <affects base="1.0.1" version="1.0.1"/>
7025 <affects base="1.0.1" version="1.0.1a"/>
7026 <affects base="1.0.1" version="1.0.1b"/>
7027 <affects base="1.0.1" version="1.0.1c"/>
7028 <affects base="1.0.1" version="1.0.1d"/>
7029 <affects base="1.0.1" version="1.0.1e"/>
7030 <affects base="1.0.1" version="1.0.1f"/>
7031 <fixed base="1.0.1" version="1.0.1g" date="20140409">
7033 <advisory url="/news/secadv/20140407.txt"/>
7034 <reported source="Neel Mehta"/>
7036 A missing bounds check in the handling of the TLS heartbeat extension can be
7037 used to reveal up to 64kB of memory to a connected client or server (a.k.a. Heartbleed). This
7038 issue did not affect versions of OpenSSL prior to 1.0.1.
7042 <issue public="20140605">
7043 <cve name="2014-0224"/>
7044 <affects base="0.9.8" version="0.9.8"/>
7045 <affects base="0.9.8" version="0.9.8a"/>
7046 <affects base="0.9.8" version="0.9.8b"/>
7047 <affects base="0.9.8" version="0.9.8c"/>
7048 <affects base="0.9.8" version="0.9.8d"/>
7049 <affects base="0.9.8" version="0.9.8e"/>
7050 <affects base="0.9.8" version="0.9.8f"/>
7051 <affects base="0.9.8" version="0.9.8g"/>
7052 <affects base="0.9.8" version="0.9.8h"/>
7053 <affects base="0.9.8" version="0.9.8i"/>
7054 <affects base="0.9.8" version="0.9.8j"/>
7055 <affects base="0.9.8" version="0.9.8k"/>
7056 <affects base="0.9.8" version="0.9.8l"/>
7057 <affects base="0.9.8" version="0.9.8m"/>
7058 <affects base="0.9.8" version="0.9.8n"/>
7059 <affects base="0.9.8" version="0.9.8o"/>
7060 <affects base="0.9.8" version="0.9.8p"/>
7061 <affects base="0.9.8" version="0.9.8q"/>
7062 <affects base="0.9.8" version="0.9.8r"/>
7063 <affects base="0.9.8" version="0.9.8s"/>
7064 <affects base="0.9.8" version="0.9.8t"/>
7065 <affects base="0.9.8" version="0.9.8u"/>
7066 <affects base="0.9.8" version="0.9.8v"/>
7067 <affects base="0.9.8" version="0.9.8w"/>
7068 <affects base="0.9.8" version="0.9.8x"/>
7069 <affects base="0.9.8" version="0.9.8y"/>
7070 <affects base="1.0.0" version="1.0.0"/>
7071 <affects base="1.0.0" version="1.0.0a"/>
7072 <affects base="1.0.0" version="1.0.0b"/>
7073 <affects base="1.0.0" version="1.0.0c"/>
7074 <affects base="1.0.0" version="1.0.0d"/>
7075 <affects base="1.0.0" version="1.0.0e"/>
7076 <affects base="1.0.0" version="1.0.0f"/>
7077 <affects base="1.0.0" version="1.0.0g"/>
7078 <affects base="1.0.0" version="1.0.0i"/>
7079 <affects base="1.0.0" version="1.0.0j"/>
7080 <affects base="1.0.0" version="1.0.0k"/>
7081 <affects base="1.0.0" version="1.0.0l"/>
7082 <affects base="1.0.1" version="1.0.1"/>
7083 <affects base="1.0.1" version="1.0.1a"/>
7084 <affects base="1.0.1" version="1.0.1b"/>
7085 <affects base="1.0.1" version="1.0.1c"/>
7086 <affects base="1.0.1" version="1.0.1d"/>
7087 <affects base="1.0.1" version="1.0.1e"/>
7088 <affects base="1.0.1" version="1.0.1f"/>
7089 <affects base="1.0.1" version="1.0.1g"/>
7090 <fixed base="1.0.1" version="1.0.1h" date="20140605">
7092 <fixed base="1.0.0" version="1.0.0m" date="20140605">
7094 <fixed base="0.9.8" version="0.9.8za" date="20140605">
7097 An attacker can force the use of weak
7098 keying material in OpenSSL SSL/TLS clients and servers. This can be exploited
7099 by a Man-in-the-middle (MITM) attack where the attacker can decrypt and
7100 modify traffic from the attacked client and server.
7102 <advisory url="/news/secadv/20140605.txt"/>
7103 <reported source="KIKUCHI Masashi (Lepidum Co. Ltd.)"/>
7106 <issue public="20140605">
7107 <cve name="2014-0221"/>
7108 <affects base="0.9.8" version="0.9.8"/>
7109 <affects base="0.9.8" version="0.9.8a"/>
7110 <affects base="0.9.8" version="0.9.8b"/>
7111 <affects base="0.9.8" version="0.9.8c"/>
7112 <affects base="0.9.8" version="0.9.8d"/>
7113 <affects base="0.9.8" version="0.9.8e"/>
7114 <affects base="0.9.8" version="0.9.8f"/>
7115 <affects base="0.9.8" version="0.9.8g"/>
7116 <affects base="0.9.8" version="0.9.8h"/>
7117 <affects base="0.9.8" version="0.9.8i"/>
7118 <affects base="0.9.8" version="0.9.8j"/>
7119 <affects base="0.9.8" version="0.9.8k"/>
7120 <affects base="0.9.8" version="0.9.8l"/>
7121 <affects base="0.9.8" version="0.9.8m"/>
7122 <affects base="0.9.8" version="0.9.8n"/>
7123 <affects base="0.9.8" version="0.9.8o"/>
7124 <affects base="0.9.8" version="0.9.8p"/>
7125 <affects base="0.9.8" version="0.9.8q"/>
7126 <affects base="0.9.8" version="0.9.8r"/>
7127 <affects base="0.9.8" version="0.9.8s"/>
7128 <affects base="0.9.8" version="0.9.8t"/>
7129 <affects base="0.9.8" version="0.9.8u"/>
7130 <affects base="0.9.8" version="0.9.8v"/>
7131 <affects base="0.9.8" version="0.9.8w"/>
7132 <affects base="0.9.8" version="0.9.8x"/>
7133 <affects base="0.9.8" version="0.9.8y"/>
7134 <affects base="1.0.0" version="1.0.0"/>
7135 <affects base="1.0.0" version="1.0.0a"/>
7136 <affects base="1.0.0" version="1.0.0b"/>
7137 <affects base="1.0.0" version="1.0.0c"/>
7138 <affects base="1.0.0" version="1.0.0d"/>
7139 <affects base="1.0.0" version="1.0.0e"/>
7140 <affects base="1.0.0" version="1.0.0f"/>
7141 <affects base="1.0.0" version="1.0.0g"/>
7142 <affects base="1.0.0" version="1.0.0i"/>
7143 <affects base="1.0.0" version="1.0.0j"/>
7144 <affects base="1.0.0" version="1.0.0k"/>
7145 <affects base="1.0.0" version="1.0.0l"/>
7146 <affects base="1.0.1" version="1.0.1"/>
7147 <affects base="1.0.1" version="1.0.1a"/>
7148 <affects base="1.0.1" version="1.0.1b"/>
7149 <affects base="1.0.1" version="1.0.1c"/>
7150 <affects base="1.0.1" version="1.0.1d"/>
7151 <affects base="1.0.1" version="1.0.1e"/>
7152 <affects base="1.0.1" version="1.0.1f"/>
7153 <affects base="1.0.1" version="1.0.1g"/>
7154 <fixed base="1.0.1" version="1.0.1h" date="20140605">
7156 <fixed base="1.0.0" version="1.0.0m" date="20140605">
7158 <fixed base="0.9.8" version="0.9.8za" date="20140605">
7160 <description>By sending an invalid DTLS handshake to an OpenSSL DTLS client the code can be made to recurse eventually crashing in a DoS attack. Only applications using OpenSSL as a DTLS client are affected.</description>
7161 <advisory url="/news/secadv/20140605.txt"/>
7162 <reported source="Imre Rad (Search-Lab Ltd.)"/>
7165 <issue public="20140605">
7166 <cve name="2014-0195"/>
7167 <affects base="0.9.8" version="0.9.8o"/>
7168 <affects base="0.9.8" version="0.9.8p"/>
7169 <affects base="0.9.8" version="0.9.8q"/>
7170 <affects base="0.9.8" version="0.9.8r"/>
7171 <affects base="0.9.8" version="0.9.8s"/>
7172 <affects base="0.9.8" version="0.9.8t"/>
7173 <affects base="0.9.8" version="0.9.8u"/>
7174 <affects base="0.9.8" version="0.9.8v"/>
7175 <affects base="0.9.8" version="0.9.8w"/>
7176 <affects base="0.9.8" version="0.9.8x"/>
7177 <affects base="0.9.8" version="0.9.8y"/>
7178 <affects base="1.0.0" version="1.0.0"/>
7179 <affects base="1.0.0" version="1.0.0a"/>
7180 <affects base="1.0.0" version="1.0.0b"/>
7181 <affects base="1.0.0" version="1.0.0c"/>
7182 <affects base="1.0.0" version="1.0.0d"/>
7183 <affects base="1.0.0" version="1.0.0e"/>
7184 <affects base="1.0.0" version="1.0.0f"/>
7185 <affects base="1.0.0" version="1.0.0g"/>
7186 <affects base="1.0.0" version="1.0.0i"/>
7187 <affects base="1.0.0" version="1.0.0j"/>
7188 <affects base="1.0.0" version="1.0.0k"/>
7189 <affects base="1.0.0" version="1.0.0l"/>
7190 <affects base="1.0.1" version="1.0.1"/>
7191 <affects base="1.0.1" version="1.0.1a"/>
7192 <affects base="1.0.1" version="1.0.1b"/>
7193 <affects base="1.0.1" version="1.0.1c"/>
7194 <affects base="1.0.1" version="1.0.1d"/>
7195 <affects base="1.0.1" version="1.0.1e"/>
7196 <affects base="1.0.1" version="1.0.1f"/>
7197 <affects base="1.0.1" version="1.0.1g"/>
7198 <fixed base="1.0.1" version="1.0.1h" date="20140605">
7200 <fixed base="1.0.0" version="1.0.0m" date="20140605">
7202 <fixed base="0.9.8" version="0.9.8za" date="20140605">
7204 <description>A buffer overrun attack can be triggered by sending invalid DTLS fragments
7205 to an OpenSSL DTLS client or server. This is potentially exploitable to
7206 run arbitrary code on a vulnerable client or server. Only applications using OpenSSL as a DTLS client or server affected.
7208 <advisory url="/news/secadv/20140605.txt"/>
7209 <reported source="Jüri Aedla"/>
7212 <issue public="20140421">
7213 <cve name="2014-0198"/>
7214 <affects base="1.0.0" version="1.0.0"/>
7215 <affects base="1.0.0" version="1.0.0a"/>
7216 <affects base="1.0.0" version="1.0.0b"/>
7217 <affects base="1.0.0" version="1.0.0c"/>
7218 <affects base="1.0.0" version="1.0.0d"/>
7219 <affects base="1.0.0" version="1.0.0e"/>
7220 <affects base="1.0.0" version="1.0.0f"/>
7221 <affects base="1.0.0" version="1.0.0g"/>
7222 <affects base="1.0.0" version="1.0.0i"/>
7223 <affects base="1.0.0" version="1.0.0j"/>
7224 <affects base="1.0.0" version="1.0.0k"/>
7225 <affects base="1.0.0" version="1.0.0l"/>
7226 <affects base="1.0.1" version="1.0.1"/>
7227 <affects base="1.0.1" version="1.0.1a"/>
7228 <affects base="1.0.1" version="1.0.1b"/>
7229 <affects base="1.0.1" version="1.0.1c"/>
7230 <affects base="1.0.1" version="1.0.1d"/>
7231 <affects base="1.0.1" version="1.0.1e"/>
7232 <affects base="1.0.1" version="1.0.1f"/>
7233 <affects base="1.0.1" version="1.0.1g"/>
7234 <fixed base="1.0.1" version="1.0.1h" date="20140605">
7236 <fixed base="1.0.0" version="1.0.0m" date="20140605">
7238 <description>A flaw in the do_ssl3_write function can allow remote attackers to
7239 cause a denial of service via a NULL pointer dereference. This flaw
7240 only affects OpenSSL 1.0.0 and 1.0.1 where SSL_MODE_RELEASE_BUFFERS is
7241 enabled, which is not the default and not common.</description>
7242 <advisory url="/news/secadv/20140605.txt"/>
7245 <issue public="20140408">
7246 <cve name="2010-5298"/>
7247 <affects base="1.0.0" version="1.0.0"/>
7248 <affects base="1.0.0" version="1.0.0a"/>
7249 <affects base="1.0.0" version="1.0.0b"/>
7250 <affects base="1.0.0" version="1.0.0c"/>
7251 <affects base="1.0.0" version="1.0.0d"/>
7252 <affects base="1.0.0" version="1.0.0e"/>
7253 <affects base="1.0.0" version="1.0.0f"/>
7254 <affects base="1.0.0" version="1.0.0g"/>
7255 <affects base="1.0.0" version="1.0.0i"/>
7256 <affects base="1.0.0" version="1.0.0j"/>
7257 <affects base="1.0.0" version="1.0.0k"/>
7258 <affects base="1.0.0" version="1.0.0l"/>
7259 <affects base="1.0.1" version="1.0.1"/>
7260 <affects base="1.0.1" version="1.0.1a"/>
7261 <affects base="1.0.1" version="1.0.1b"/>
7262 <affects base="1.0.1" version="1.0.1c"/>
7263 <affects base="1.0.1" version="1.0.1d"/>
7264 <affects base="1.0.1" version="1.0.1e"/>
7265 <affects base="1.0.1" version="1.0.1f"/>
7266 <affects base="1.0.1" version="1.0.1g"/>
7267 <fixed base="1.0.1" version="1.0.1h" date="20140605">
7269 <fixed base="1.0.0" version="1.0.0m" date="20140605">
7271 <description>A race condition in the ssl3_read_bytes function can allow remote
7272 attackers to inject data across sessions or cause a denial of service.
7273 This flaw only affects multithreaded applications using OpenSSL 1.0.0
7274 and 1.0.1, where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the
7275 default and not common.</description>
7276 <advisory url="/news/secadv/20140605.txt"/>
7279 <issue public="20140530">
7280 <cve name="2014-3470"/>
7281 <affects base="0.9.8" version="0.9.8"/>
7282 <affects base="0.9.8" version="0.9.8a"/>
7283 <affects base="0.9.8" version="0.9.8b"/>
7284 <affects base="0.9.8" version="0.9.8c"/>
7285 <affects base="0.9.8" version="0.9.8d"/>
7286 <affects base="0.9.8" version="0.9.8e"/>
7287 <affects base="0.9.8" version="0.9.8f"/>
7288 <affects base="0.9.8" version="0.9.8g"/>
7289 <affects base="0.9.8" version="0.9.8h"/>
7290 <affects base="0.9.8" version="0.9.8i"/>
7291 <affects base="0.9.8" version="0.9.8j"/>
7292 <affects base="0.9.8" version="0.9.8k"/>
7293 <affects base="0.9.8" version="0.9.8l"/>
7294 <affects base="0.9.8" version="0.9.8m"/>
7295 <affects base="0.9.8" version="0.9.8n"/>
7296 <affects base="0.9.8" version="0.9.8o"/>
7297 <affects base="0.9.8" version="0.9.8p"/>
7298 <affects base="0.9.8" version="0.9.8q"/>
7299 <affects base="0.9.8" version="0.9.8r"/>
7300 <affects base="0.9.8" version="0.9.8s"/>
7301 <affects base="0.9.8" version="0.9.8t"/>
7302 <affects base="0.9.8" version="0.9.8u"/>
7303 <affects base="0.9.8" version="0.9.8v"/>
7304 <affects base="0.9.8" version="0.9.8w"/>
7305 <affects base="0.9.8" version="0.9.8x"/>
7306 <affects base="0.9.8" version="0.9.8y"/>
7307 <affects base="1.0.0" version="1.0.0"/>
7308 <affects base="1.0.0" version="1.0.0a"/>
7309 <affects base="1.0.0" version="1.0.0b"/>
7310 <affects base="1.0.0" version="1.0.0c"/>
7311 <affects base="1.0.0" version="1.0.0d"/>
7312 <affects base="1.0.0" version="1.0.0e"/>
7313 <affects base="1.0.0" version="1.0.0f"/>
7314 <affects base="1.0.0" version="1.0.0g"/>
7315 <affects base="1.0.0" version="1.0.0i"/>
7316 <affects base="1.0.0" version="1.0.0j"/>
7317 <affects base="1.0.0" version="1.0.0k"/>
7318 <affects base="1.0.0" version="1.0.0l"/>
7319 <affects base="1.0.1" version="1.0.1"/>
7320 <affects base="1.0.1" version="1.0.1a"/>
7321 <affects base="1.0.1" version="1.0.1b"/>
7322 <affects base="1.0.1" version="1.0.1c"/>
7323 <affects base="1.0.1" version="1.0.1d"/>
7324 <affects base="1.0.1" version="1.0.1e"/>
7325 <affects base="1.0.1" version="1.0.1f"/>
7326 <affects base="1.0.1" version="1.0.1g"/>
7327 <fixed base="1.0.1" version="1.0.1h" date="20140605">
7329 <fixed base="1.0.0" version="1.0.0m" date="20140605">
7331 <fixed base="0.9.8" version="0.9.8za" date="20140605">
7333 <description>OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a
7334 denial of service attack.</description>
7335 <reported source="Felix Gröbert and Ivan Fratrić (Google)"/>
7336 <advisory url="/news/secadv/20140605.txt"/>
7339 <statement base="none">Note: All OpenSSL versions before 1.1.1 are out of support and no longer receiving updates. Extended support is available for 1.0.2 from OpenSSL Software Services for premium support customers.</statement>
7340 <statement base="0.9.6">OpenSSL 0.9.6 is out of support and no longer receiving updates.</statement>
7341 <statement base="0.9.7">OpenSSL 0.9.7 is out of support and no longer receiving updates.</statement>
7342 <statement base="0.9.8">OpenSSL 0.9.8 is out of support since 1st January 2016 and no longer receiving updates.</statement>
7343 <statement base="1.0.0">OpenSSL 1.0.0 is out of support since 1st January 2016 and no longer receiving updates.</statement>
7344 <statement base="1.0.1">OpenSSL 1.0.1 is out of support since 1st January 2017 and no longer receiving updates.</statement>
7345 <statement base="1.0.2">OpenSSL 1.0.2 is out of support since 1st January 2020 and is no longer receiving updates. Extended support is available from OpenSSL Software Services for premium support customers</statement>
7346 <statement base="1.1.0">OpenSSL 1.1.0 is out of support since 12th September 2019 and no longer receiving updates.</statement>