1 <!-- All security issues affecting OpenSSL since the release of:
8 <security updated="20160922">
9 <issue public="20160922">
10 <impact severity="High"/>
11 <cve name="2016-6304"/>
12 <affects base="1.0.1" version="1.0.1"/>
13 <affects base="1.0.1" version="1.0.1a"/>
14 <affects base="1.0.1" version="1.0.1b"/>
15 <affects base="1.0.1" version="1.0.1c"/>
16 <affects base="1.0.1" version="1.0.1d"/>
17 <affects base="1.0.1" version="1.0.1e"/>
18 <affects base="1.0.1" version="1.0.1f"/>
19 <affects base="1.0.1" version="1.0.1g"/>
20 <affects base="1.0.1" version="1.0.1h"/>
21 <affects base="1.0.1" version="1.0.1i"/>
22 <affects base="1.0.1" version="1.0.1j"/>
23 <affects base="1.0.1" version="1.0.1k"/>
24 <affects base="1.0.1" version="1.0.1l"/>
25 <affects base="1.0.1" version="1.0.1m"/>
26 <affects base="1.0.1" version="1.0.1n"/>
27 <affects base="1.0.1" version="1.0.1o"/>
28 <affects base="1.0.1" version="1.0.1p"/>
29 <affects base="1.0.1" version="1.0.1q"/>
30 <affects base="1.0.1" version="1.0.1r"/>
31 <affects base="1.0.1" version="1.0.1s"/>
32 <affects base="1.0.1" version="1.0.1t"/>
33 <affects base="1.0.2" version="1.0.2"/>
34 <affects base="1.0.2" version="1.0.2a"/>
35 <affects base="1.0.2" version="1.0.2b"/>
36 <affects base="1.0.2" version="1.0.2c"/>
37 <affects base="1.0.2" version="1.0.2d"/>
38 <affects base="1.0.2" version="1.0.2e"/>
39 <affects base="1.0.2" version="1.0.2f"/>
40 <affects base="1.0.2" version="1.0.2g"/>
41 <affects base="1.0.2" version="1.0.2h"/>
42 <affects base="1.1.0" version="1.1.0"/>
43 <fixed base="1.0.1" version="1.0.1u" date="20160922"/>
44 <fixed base="1.0.2" version="1.0.2i" date="20160922"/>
45 <fixed base="1.1.0" version="1.1.0a" date="20160922"/>
48 A malicious client can send an excessively large OCSP Status Request extension.
49 If that client continually requests renegotiation, sending a large OCSP Status
50 Request extension each time, then there will be unbounded memory growth on the
51 server. This will eventually lead to a Denial Of Service attack through memory
52 exhaustion. Servers with a default configuration are vulnerable even if they do
53 not support OCSP. Builds using the "no-ocsp" build time option are not affected.
55 Servers using OpenSSL versions prior to 1.0.1g are not vulnerable in a default
56 configuration, instead only if an application explicitly enables OCSP stapling
59 <advisory url="/news/secadv/20160922.txt"/>
60 <reported source="Shi Lei (Gear Team, Qihoo 360 Inc.)"/>
62 <issue public="20160922">
63 <impact severity="Moderate"/>
64 <cve name="2016-6305"/>
65 <affects base="1.1.0" version="1.1.0"/>
66 <fixed base="1.1.0" version="1.1.0a" date="20160922"/>
69 OpenSSL 1.1.0 SSL/TLS will hang during a call to SSL_peek() if the peer sends an
70 empty record. This could be exploited by a malicious peer in a Denial Of Service
73 <advisory url="/news/secadv/20160922.txt"/>
74 <reported source="Alex Gaynor"/>
76 <issue public="20160824">
77 <impact severity="Low"/>
78 <cve name="2016-6303"/>
79 <affects base="1.0.1" version="1.0.1"/>
80 <affects base="1.0.1" version="1.0.1a"/>
81 <affects base="1.0.1" version="1.0.1b"/>
82 <affects base="1.0.1" version="1.0.1c"/>
83 <affects base="1.0.1" version="1.0.1d"/>
84 <affects base="1.0.1" version="1.0.1e"/>
85 <affects base="1.0.1" version="1.0.1f"/>
86 <affects base="1.0.1" version="1.0.1g"/>
87 <affects base="1.0.1" version="1.0.1h"/>
88 <affects base="1.0.1" version="1.0.1i"/>
89 <affects base="1.0.1" version="1.0.1j"/>
90 <affects base="1.0.1" version="1.0.1k"/>
91 <affects base="1.0.1" version="1.0.1l"/>
92 <affects base="1.0.1" version="1.0.1m"/>
93 <affects base="1.0.1" version="1.0.1n"/>
94 <affects base="1.0.1" version="1.0.1o"/>
95 <affects base="1.0.1" version="1.0.1p"/>
96 <affects base="1.0.1" version="1.0.1q"/>
97 <affects base="1.0.1" version="1.0.1r"/>
98 <affects base="1.0.1" version="1.0.1s"/>
99 <affects base="1.0.1" version="1.0.1t"/>
100 <affects base="1.0.2" version="1.0.2"/>
101 <affects base="1.0.2" version="1.0.2a"/>
102 <affects base="1.0.2" version="1.0.2b"/>
103 <affects base="1.0.2" version="1.0.2c"/>
104 <affects base="1.0.2" version="1.0.2d"/>
105 <affects base="1.0.2" version="1.0.2e"/>
106 <affects base="1.0.2" version="1.0.2f"/>
107 <affects base="1.0.2" version="1.0.2g"/>
108 <affects base="1.0.2" version="1.0.2h"/>
109 <fixed base="1.0.1" version="1.0.1u" date="20160922"/>
110 <fixed base="1.0.2" version="1.0.2i" date="20160922"/>
113 An overflow can occur in MDC2_Update() either if called directly or
114 through the EVP_DigestUpdate() function using MDC2. If an attacker
115 is able to supply very large amounts of input data after a previous
116 call to EVP_EncryptUpdate() with a partial block then a length check
117 can overflow resulting in a heap corruption.
119 The amount of data needed is comparable to SIZE_MAX which is impractical
122 <advisory url="/news/secadv/20160922.txt"/>
123 <reported source="Shi Lei (Gear Team, Qihoo 360 Inc.)"/>
125 <issue public="20160823">
126 <impact severity="Low"/>
127 <cve name="2016-6302"/>
128 <affects base="1.0.1" version="1.0.1"/>
129 <affects base="1.0.1" version="1.0.1a"/>
130 <affects base="1.0.1" version="1.0.1b"/>
131 <affects base="1.0.1" version="1.0.1c"/>
132 <affects base="1.0.1" version="1.0.1d"/>
133 <affects base="1.0.1" version="1.0.1e"/>
134 <affects base="1.0.1" version="1.0.1f"/>
135 <affects base="1.0.1" version="1.0.1g"/>
136 <affects base="1.0.1" version="1.0.1h"/>
137 <affects base="1.0.1" version="1.0.1i"/>
138 <affects base="1.0.1" version="1.0.1j"/>
139 <affects base="1.0.1" version="1.0.1k"/>
140 <affects base="1.0.1" version="1.0.1l"/>
141 <affects base="1.0.1" version="1.0.1m"/>
142 <affects base="1.0.1" version="1.0.1n"/>
143 <affects base="1.0.1" version="1.0.1o"/>
144 <affects base="1.0.1" version="1.0.1p"/>
145 <affects base="1.0.1" version="1.0.1q"/>
146 <affects base="1.0.1" version="1.0.1r"/>
147 <affects base="1.0.1" version="1.0.1s"/>
148 <affects base="1.0.1" version="1.0.1t"/>
149 <affects base="1.0.2" version="1.0.2"/>
150 <affects base="1.0.2" version="1.0.2a"/>
151 <affects base="1.0.2" version="1.0.2b"/>
152 <affects base="1.0.2" version="1.0.2c"/>
153 <affects base="1.0.2" version="1.0.2d"/>
154 <affects base="1.0.2" version="1.0.2e"/>
155 <affects base="1.0.2" version="1.0.2f"/>
156 <affects base="1.0.2" version="1.0.2g"/>
157 <affects base="1.0.2" version="1.0.2h"/>
158 <fixed base="1.0.1" version="1.0.1u" date="20160922"/>
159 <fixed base="1.0.2" version="1.0.2i" date="20160922"/>
162 If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a
163 DoS attack where a malformed ticket will result in an OOB read which will
166 The use of SHA512 in TLS session tickets is comparatively rare as it requires
167 a custom server callback and ticket lookup mechanism.
169 <advisory url="/news/secadv/20160922.txt"/>
170 <reported source="Shi Lei (Gear Team, Qihoo 360 Inc.)"/>
172 <issue public="20160816">
173 <impact severity="Low"/>
174 <cve name="2016-2182"/>
175 <affects base="1.0.1" version="1.0.1"/>
176 <affects base="1.0.1" version="1.0.1a"/>
177 <affects base="1.0.1" version="1.0.1b"/>
178 <affects base="1.0.1" version="1.0.1c"/>
179 <affects base="1.0.1" version="1.0.1d"/>
180 <affects base="1.0.1" version="1.0.1e"/>
181 <affects base="1.0.1" version="1.0.1f"/>
182 <affects base="1.0.1" version="1.0.1g"/>
183 <affects base="1.0.1" version="1.0.1h"/>
184 <affects base="1.0.1" version="1.0.1i"/>
185 <affects base="1.0.1" version="1.0.1j"/>
186 <affects base="1.0.1" version="1.0.1k"/>
187 <affects base="1.0.1" version="1.0.1l"/>
188 <affects base="1.0.1" version="1.0.1m"/>
189 <affects base="1.0.1" version="1.0.1n"/>
190 <affects base="1.0.1" version="1.0.1o"/>
191 <affects base="1.0.1" version="1.0.1p"/>
192 <affects base="1.0.1" version="1.0.1q"/>
193 <affects base="1.0.1" version="1.0.1r"/>
194 <affects base="1.0.1" version="1.0.1s"/>
195 <affects base="1.0.1" version="1.0.1t"/>
196 <affects base="1.0.2" version="1.0.2"/>
197 <affects base="1.0.2" version="1.0.2a"/>
198 <affects base="1.0.2" version="1.0.2b"/>
199 <affects base="1.0.2" version="1.0.2c"/>
200 <affects base="1.0.2" version="1.0.2d"/>
201 <affects base="1.0.2" version="1.0.2e"/>
202 <affects base="1.0.2" version="1.0.2f"/>
203 <affects base="1.0.2" version="1.0.2g"/>
204 <affects base="1.0.2" version="1.0.2h"/>
205 <fixed base="1.0.1" version="1.0.1u" date="20160922"/>
206 <fixed base="1.0.2" version="1.0.2i" date="20160922"/>
209 The function BN_bn2dec() does not check the return value of BN_div_word().
210 This can cause an OOB write if an application uses this function with an
211 overly large BIGNUM. This could be a problem if an overly large certificate
212 or CRL is printed out from an untrusted source. TLS is not affected because
213 record limits will reject an oversized certificate before it is parsed.
215 <advisory url="/news/secadv/20160922.txt"/>
216 <reported source="Shi Lei (Gear Team, Qihoo 360 Inc.)"/>
218 <issue public="20160722">
219 <impact severity="Low"/>
220 <cve name="2016-2180"/>
221 <affects base="1.0.1" version="1.0.1"/>
222 <affects base="1.0.1" version="1.0.1a"/>
223 <affects base="1.0.1" version="1.0.1b"/>
224 <affects base="1.0.1" version="1.0.1c"/>
225 <affects base="1.0.1" version="1.0.1d"/>
226 <affects base="1.0.1" version="1.0.1e"/>
227 <affects base="1.0.1" version="1.0.1f"/>
228 <affects base="1.0.1" version="1.0.1g"/>
229 <affects base="1.0.1" version="1.0.1h"/>
230 <affects base="1.0.1" version="1.0.1i"/>
231 <affects base="1.0.1" version="1.0.1j"/>
232 <affects base="1.0.1" version="1.0.1k"/>
233 <affects base="1.0.1" version="1.0.1l"/>
234 <affects base="1.0.1" version="1.0.1m"/>
235 <affects base="1.0.1" version="1.0.1n"/>
236 <affects base="1.0.1" version="1.0.1o"/>
237 <affects base="1.0.1" version="1.0.1p"/>
238 <affects base="1.0.1" version="1.0.1q"/>
239 <affects base="1.0.1" version="1.0.1r"/>
240 <affects base="1.0.1" version="1.0.1s"/>
241 <affects base="1.0.1" version="1.0.1t"/>
242 <affects base="1.0.2" version="1.0.2"/>
243 <affects base="1.0.2" version="1.0.2a"/>
244 <affects base="1.0.2" version="1.0.2b"/>
245 <affects base="1.0.2" version="1.0.2c"/>
246 <affects base="1.0.2" version="1.0.2d"/>
247 <affects base="1.0.2" version="1.0.2e"/>
248 <affects base="1.0.2" version="1.0.2f"/>
249 <affects base="1.0.2" version="1.0.2g"/>
250 <affects base="1.0.2" version="1.0.2h"/>
251 <fixed base="1.0.1" version="1.0.1u" date="20160922"/>
252 <fixed base="1.0.2" version="1.0.2i" date="20160922"/>
255 The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value is
256 the total length the OID text representation would use and not the amount
257 of data written. This will result in OOB reads when large OIDs are presented.
259 <advisory url="/news/secadv/20160922.txt"/>
260 <reported source="Shi Lei (Gear Team, Qihoo 360 Inc.)"/>
262 <issue public="20160601">
263 <impact severity="Low"/>
264 <cve name="2016-2177"/>
265 <affects base="1.0.1" version="1.0.1"/>
266 <affects base="1.0.1" version="1.0.1a"/>
267 <affects base="1.0.1" version="1.0.1b"/>
268 <affects base="1.0.1" version="1.0.1c"/>
269 <affects base="1.0.1" version="1.0.1d"/>
270 <affects base="1.0.1" version="1.0.1e"/>
271 <affects base="1.0.1" version="1.0.1f"/>
272 <affects base="1.0.1" version="1.0.1g"/>
273 <affects base="1.0.1" version="1.0.1h"/>
274 <affects base="1.0.1" version="1.0.1i"/>
275 <affects base="1.0.1" version="1.0.1j"/>
276 <affects base="1.0.1" version="1.0.1k"/>
277 <affects base="1.0.1" version="1.0.1l"/>
278 <affects base="1.0.1" version="1.0.1m"/>
279 <affects base="1.0.1" version="1.0.1n"/>
280 <affects base="1.0.1" version="1.0.1o"/>
281 <affects base="1.0.1" version="1.0.1p"/>
282 <affects base="1.0.1" version="1.0.1q"/>
283 <affects base="1.0.1" version="1.0.1r"/>
284 <affects base="1.0.1" version="1.0.1s"/>
285 <affects base="1.0.1" version="1.0.1t"/>
286 <affects base="1.0.2" version="1.0.2"/>
287 <affects base="1.0.2" version="1.0.2a"/>
288 <affects base="1.0.2" version="1.0.2b"/>
289 <affects base="1.0.2" version="1.0.2c"/>
290 <affects base="1.0.2" version="1.0.2d"/>
291 <affects base="1.0.2" version="1.0.2e"/>
292 <affects base="1.0.2" version="1.0.2f"/>
293 <affects base="1.0.2" version="1.0.2g"/>
294 <affects base="1.0.2" version="1.0.2h"/>
295 <fixed base="1.0.1" version="1.0.1u" date="20160922"/>
296 <fixed base="1.0.2" version="1.0.2i" date="20160922"/>
299 Avoid some undefined pointer arithmetic
301 A common idiom in the codebase is to check limits in the following manner:
304 Where "p" points to some malloc'd data of SIZE bytes and
307 "len" here could be from some externally supplied data (e.g. from a TLS
310 The rules of C pointer arithmetic are such that "p + len" is only well
311 defined where len <= SIZE. Therefore the above idiom is actually
314 For example this could cause problems if some malloc implementation
315 provides an address for "p" such that "p + len" actually overflows for
316 values of len that are too big and therefore p + len < limit.
318 <advisory url="/news/secadv/20160922.txt"/>
319 <reported source="Guido Vranken"/>
321 <issue public="20160607">
322 <impact severity="Low"/>
323 <cve name="2016-2178"/>
324 <affects base="1.0.1" version="1.0.1"/>
325 <affects base="1.0.1" version="1.0.1a"/>
326 <affects base="1.0.1" version="1.0.1b"/>
327 <affects base="1.0.1" version="1.0.1c"/>
328 <affects base="1.0.1" version="1.0.1d"/>
329 <affects base="1.0.1" version="1.0.1e"/>
330 <affects base="1.0.1" version="1.0.1f"/>
331 <affects base="1.0.1" version="1.0.1g"/>
332 <affects base="1.0.1" version="1.0.1h"/>
333 <affects base="1.0.1" version="1.0.1i"/>
334 <affects base="1.0.1" version="1.0.1j"/>
335 <affects base="1.0.1" version="1.0.1k"/>
336 <affects base="1.0.1" version="1.0.1l"/>
337 <affects base="1.0.1" version="1.0.1m"/>
338 <affects base="1.0.1" version="1.0.1n"/>
339 <affects base="1.0.1" version="1.0.1o"/>
340 <affects base="1.0.1" version="1.0.1p"/>
341 <affects base="1.0.1" version="1.0.1q"/>
342 <affects base="1.0.1" version="1.0.1r"/>
343 <affects base="1.0.1" version="1.0.1s"/>
344 <affects base="1.0.1" version="1.0.1t"/>
345 <affects base="1.0.2" version="1.0.2"/>
346 <affects base="1.0.2" version="1.0.2a"/>
347 <affects base="1.0.2" version="1.0.2b"/>
348 <affects base="1.0.2" version="1.0.2c"/>
349 <affects base="1.0.2" version="1.0.2d"/>
350 <affects base="1.0.2" version="1.0.2e"/>
351 <affects base="1.0.2" version="1.0.2f"/>
352 <affects base="1.0.2" version="1.0.2g"/>
353 <affects base="1.0.2" version="1.0.2h"/>
354 <fixed base="1.0.1" version="1.0.1u" date="20160922"/>
355 <fixed base="1.0.2" version="1.0.2i" date="20160922"/>
358 Operations in the DSA signing algorithm should run in constant time in order to
359 avoid side channel attacks. A flaw in the OpenSSL DSA implementation means that
360 a non-constant time codepath is followed for certain operations. This has been
361 demonstrated through a cache-timing attack to be sufficient for an attacker to
362 recover the private DSA key.
364 <advisory url="/news/secadv/20160922.txt"/>
365 <reported source="César Pereida (Aalto University), Billy Brumley (Tampere University of Technology), and Yuval Yarom (The University of Adelaide and NICTA)"/>
367 <issue public="20160822">
368 <impact severity="Low"/>
369 <cve name="2016-2179"/>
370 <affects base="1.0.1" version="1.0.1"/>
371 <affects base="1.0.1" version="1.0.1a"/>
372 <affects base="1.0.1" version="1.0.1b"/>
373 <affects base="1.0.1" version="1.0.1c"/>
374 <affects base="1.0.1" version="1.0.1d"/>
375 <affects base="1.0.1" version="1.0.1e"/>
376 <affects base="1.0.1" version="1.0.1f"/>
377 <affects base="1.0.1" version="1.0.1g"/>
378 <affects base="1.0.1" version="1.0.1h"/>
379 <affects base="1.0.1" version="1.0.1i"/>
380 <affects base="1.0.1" version="1.0.1j"/>
381 <affects base="1.0.1" version="1.0.1k"/>
382 <affects base="1.0.1" version="1.0.1l"/>
383 <affects base="1.0.1" version="1.0.1m"/>
384 <affects base="1.0.1" version="1.0.1n"/>
385 <affects base="1.0.1" version="1.0.1o"/>
386 <affects base="1.0.1" version="1.0.1p"/>
387 <affects base="1.0.1" version="1.0.1q"/>
388 <affects base="1.0.1" version="1.0.1r"/>
389 <affects base="1.0.1" version="1.0.1s"/>
390 <affects base="1.0.1" version="1.0.1t"/>
391 <affects base="1.0.2" version="1.0.2"/>
392 <affects base="1.0.2" version="1.0.2a"/>
393 <affects base="1.0.2" version="1.0.2b"/>
394 <affects base="1.0.2" version="1.0.2c"/>
395 <affects base="1.0.2" version="1.0.2d"/>
396 <affects base="1.0.2" version="1.0.2e"/>
397 <affects base="1.0.2" version="1.0.2f"/>
398 <affects base="1.0.2" version="1.0.2g"/>
399 <affects base="1.0.2" version="1.0.2h"/>
400 <fixed base="1.0.1" version="1.0.1u" date="20160922"/>
401 <fixed base="1.0.2" version="1.0.2i" date="20160922"/>
404 In a DTLS connection where handshake messages are delivered out-of-order those
405 messages that OpenSSL is not yet ready to process will be buffered for later
406 use. Under certain circumstances, a flaw in the logic means that those messages
407 do not get removed from the buffer even though the handshake has been completed.
408 An attacker could force up to approx. 15 messages to remain in the buffer when
409 they are no longer required. These messages will be cleared when the DTLS
410 connection is closed. The default maximum size for a message is 100k. Therefore
411 the attacker could force an additional 1500k to be consumed per connection. By
412 opening many simulataneous connections an attacker could cause a DoS attack
413 through memory exhaustion.
415 <advisory url="/news/secadv/20160922.txt"/>
416 <reported source="Quan Luo"/>
418 <issue public="20160819">
419 <impact severity="Low"/>
420 <cve name="2016-2181"/>
421 <affects base="1.0.1" version="1.0.1"/>
422 <affects base="1.0.1" version="1.0.1a"/>
423 <affects base="1.0.1" version="1.0.1b"/>
424 <affects base="1.0.1" version="1.0.1c"/>
425 <affects base="1.0.1" version="1.0.1d"/>
426 <affects base="1.0.1" version="1.0.1e"/>
427 <affects base="1.0.1" version="1.0.1f"/>
428 <affects base="1.0.1" version="1.0.1g"/>
429 <affects base="1.0.1" version="1.0.1h"/>
430 <affects base="1.0.1" version="1.0.1i"/>
431 <affects base="1.0.1" version="1.0.1j"/>
432 <affects base="1.0.1" version="1.0.1k"/>
433 <affects base="1.0.1" version="1.0.1l"/>
434 <affects base="1.0.1" version="1.0.1m"/>
435 <affects base="1.0.1" version="1.0.1n"/>
436 <affects base="1.0.1" version="1.0.1o"/>
437 <affects base="1.0.1" version="1.0.1p"/>
438 <affects base="1.0.1" version="1.0.1q"/>
439 <affects base="1.0.1" version="1.0.1r"/>
440 <affects base="1.0.1" version="1.0.1s"/>
441 <affects base="1.0.1" version="1.0.1t"/>
442 <affects base="1.0.2" version="1.0.2"/>
443 <affects base="1.0.2" version="1.0.2a"/>
444 <affects base="1.0.2" version="1.0.2b"/>
445 <affects base="1.0.2" version="1.0.2c"/>
446 <affects base="1.0.2" version="1.0.2d"/>
447 <affects base="1.0.2" version="1.0.2e"/>
448 <affects base="1.0.2" version="1.0.2f"/>
449 <affects base="1.0.2" version="1.0.2g"/>
450 <affects base="1.0.2" version="1.0.2h"/>
451 <fixed base="1.0.1" version="1.0.1u" date="20160922"/>
452 <fixed base="1.0.2" version="1.0.2i" date="20160922"/>
455 A flaw in the DTLS replay attack protection mechanism means that records that
456 arrive for future epochs update the replay protection "window" before the MAC
457 for the record has been validated. This could be exploited by an attacker by
458 sending a record for the next epoch (which does not have to decrypt or have a
459 valid MAC), with a very large sequence number. This means that all subsequent
460 legitimate packets are dropped causing a denial of service for a specific
463 <advisory url="/news/secadv/20160922.txt"/>
464 <reported source="OCAP audit team"/>
466 <issue public="20160921">
467 <impact severity="Low"/>
468 <cve name="2016-6306"/>
469 <affects base="1.0.1" version="1.0.1"/>
470 <affects base="1.0.1" version="1.0.1a"/>
471 <affects base="1.0.1" version="1.0.1b"/>
472 <affects base="1.0.1" version="1.0.1c"/>
473 <affects base="1.0.1" version="1.0.1d"/>
474 <affects base="1.0.1" version="1.0.1e"/>
475 <affects base="1.0.1" version="1.0.1f"/>
476 <affects base="1.0.1" version="1.0.1g"/>
477 <affects base="1.0.1" version="1.0.1h"/>
478 <affects base="1.0.1" version="1.0.1i"/>
479 <affects base="1.0.1" version="1.0.1j"/>
480 <affects base="1.0.1" version="1.0.1k"/>
481 <affects base="1.0.1" version="1.0.1l"/>
482 <affects base="1.0.1" version="1.0.1m"/>
483 <affects base="1.0.1" version="1.0.1n"/>
484 <affects base="1.0.1" version="1.0.1o"/>
485 <affects base="1.0.1" version="1.0.1p"/>
486 <affects base="1.0.1" version="1.0.1q"/>
487 <affects base="1.0.1" version="1.0.1r"/>
488 <affects base="1.0.1" version="1.0.1s"/>
489 <affects base="1.0.1" version="1.0.1t"/>
490 <affects base="1.0.2" version="1.0.2"/>
491 <affects base="1.0.2" version="1.0.2a"/>
492 <affects base="1.0.2" version="1.0.2b"/>
493 <affects base="1.0.2" version="1.0.2c"/>
494 <affects base="1.0.2" version="1.0.2d"/>
495 <affects base="1.0.2" version="1.0.2e"/>
496 <affects base="1.0.2" version="1.0.2f"/>
497 <affects base="1.0.2" version="1.0.2g"/>
498 <affects base="1.0.2" version="1.0.2h"/>
499 <fixed base="1.0.1" version="1.0.1u" date="20160922"/>
500 <fixed base="1.0.2" version="1.0.2i" date="20160922"/>
502 In OpenSSL 1.0.2 and earlier some missing message length checks can result in
503 OOB reads of up to 2 bytes beyond an allocated buffer. There is a theoretical
504 DoS risk but this has not been observed in practice on common platforms.
506 The messages affected are client certificate, client certificate request and
507 server certificate. As a result the attack can only be performed against
508 a client or a server which enables client authentication.
510 <advisory url="/news/secadv/20160922.txt"/>
511 <reported source="Shi Lei (Gear Team, Qihoo 360 Inc.)"/>
513 <issue public="20160921">
514 <impact severity="Low"/>
515 <cve name="2016-6307"/>
516 <affects base="1.1.0" version="1.1.0"/>
517 <fixed base="1.1.0" version="1.1.0a" date="20160922"/>
520 A TLS message includes 3 bytes for its length in the header for the message.
521 This would allow for messages up to 16Mb in length. Messages of this length are
522 excessive and OpenSSL includes a check to ensure that a peer is sending
523 reasonably sized messages in order to avoid too much memory being consumed to
524 service a connection. A flaw in the logic of version 1.1.0 means that memory for
525 the message is allocated too early, prior to the excessive message length
526 check. Due to way memory is allocated in OpenSSL this could mean an attacker
527 could force up to 21Mb to be allocated to service a connection. This could lead
528 to a Denial of Service through memory exhaustion. However, the excessive message
529 length check still takes place, and this would cause the connection to
530 immediately fail. Assuming that the application calls SSL_free() on the failed
531 conneciton in a timely manner then the 21Mb of allocated memory will then be
532 immediately freed again. Therefore the excessive memory allocation will be
533 transitory in nature. This then means that there is only a security impact if:
535 1) The application does not call SSL_free() in a timely manner in the
536 event that the connection fails
538 2) The application is working in a constrained environment where there
539 is very little free memory
541 3) The attacker initiates multiple connection attempts such that there
542 are multiple connections in a state where memory has been allocated for
543 the connection; SSL_free() has not yet been called; and there is
544 insufficient memory to service the multiple requests.
546 Except in the instance of (1) above any Denial Of Service is likely to
547 be transitory because as soon as the connection fails the memory is
548 subsequently freed again in the SSL_free() call. However there is an
549 increased risk during this period of application crashes due to the lack
550 of memory - which would then mean a more serious Denial of Service.
552 <advisory url="/news/secadv/20160922.txt"/>
553 <reported source="Shi Lei (Gear Team, Qihoo 360 Inc.)"/>
555 <issue public="20160921">
556 <impact severity="Low"/>
557 <cve name="2016-6308"/>
558 <affects base="1.1.0" version="1.1.0"/>
559 <fixed base="1.1.0" version="1.1.0a" date="20160922"/>
562 A DTLS message includes 3 bytes for its length in the header for the message.
563 This would allow for messages up to 16Mb in length. Messages of this length are
564 excessive and OpenSSL includes a check to ensure that a peer is sending
565 reasonably sized messages in order to avoid too much memory being consumed to
566 service a connection. A flaw in the logic of version 1.1.0 means that memory for
567 the message is allocated too early, prior to the excessive message length
568 check. Due to way memory is allocated in OpenSSL this could mean an attacker
569 could force up to 21Mb to be allocated to service a connection. This could lead
570 to a Denial of Service through memory exhaustion. However, the excessive message
571 length check still takes place, and this would cause the connection to
572 immediately fail. Assuming that the application calls SSL_free() on the failed
573 conneciton in a timely manner then the 21Mb of allocated memory will then be
574 immediately freed again. Therefore the excessive memory allocation will be
575 transitory in nature. This then means that there is only a security impact if:
577 1) The application does not call SSL_free() in a timely manner in the
578 event that the connection fails
580 2) The application is working in a constrained environment where there
581 is very little free memory
583 3) The attacker initiates multiple connection attempts such that there
584 are multiple connections in a state where memory has been allocated for
585 the connection; SSL_free() has not yet been called; and there is
586 insufficient memory to service the multiple requests.
588 Except in the instance of (1) above any Denial Of Service is likely to
589 be transitory because as soon as the connection fails the memory is
590 subsequently freed again in the SSL_free() call. However there is an
591 increased risk during this period of application crashes due to the lack
592 of memory - which would then mean a more serious Denial of Service.
594 <advisory url="/news/secadv/20160922.txt"/>
595 <reported source="Shi Lei (Gear Team, Qihoo 360 Inc.)"/>
597 <issue public="20160503">
598 <impact severity="High"/>
599 <cve name="2016-2108"/>
600 <affects base="1.0.1" version="1.0.1"/>
601 <affects base="1.0.1" version="1.0.1a"/>
602 <affects base="1.0.1" version="1.0.1b"/>
603 <affects base="1.0.1" version="1.0.1c"/>
604 <affects base="1.0.1" version="1.0.1d"/>
605 <affects base="1.0.1" version="1.0.1e"/>
606 <affects base="1.0.1" version="1.0.1f"/>
607 <affects base="1.0.1" version="1.0.1g"/>
608 <affects base="1.0.1" version="1.0.1h"/>
609 <affects base="1.0.1" version="1.0.1i"/>
610 <affects base="1.0.1" version="1.0.1j"/>
611 <affects base="1.0.1" version="1.0.1k"/>
612 <affects base="1.0.1" version="1.0.1l"/>
613 <affects base="1.0.1" version="1.0.1m"/>
614 <affects base="1.0.1" version="1.0.1n"/>
615 <affects base="1.0.2" version="1.0.2"/>
616 <affects base="1.0.2" version="1.0.2a"/>
617 <affects base="1.0.2" version="1.0.2b"/>
618 <fixed base="1.0.1" version="1.0.1o" date="20160612"/>
619 <fixed base="1.0.2" version="1.0.2c" date="20160612"/>
622 This issue affected versions of OpenSSL prior to April 2015. The bug
623 causing the vulnerability was fixed on April 18th 2015, and released
624 as part of the June 11th 2015 security releases. The security impact
625 of the bug was not known at the time.
627 In previous versions of OpenSSL, ASN.1 encoding the value zero
628 represented as a negative integer can cause a buffer underflow
629 with an out-of-bounds write in i2c_ASN1_INTEGER. The ASN.1 parser does
630 not normally create "negative zeroes" when parsing ASN.1 input, and
631 therefore, an attacker cannot trigger this bug.
633 However, a second, independent bug revealed that the ASN.1 parser
634 (specifically, d2i_ASN1_TYPE) can misinterpret a large universal tag
635 as a negative zero value. Large universal tags are not present in any
636 common ASN.1 structures (such as X509) but are accepted as part of ANY
639 Therefore, if an application deserializes untrusted ASN.1 structures
640 containing an ANY field, and later reserializes them, an attacker may
641 be able to trigger an out-of-bounds write. This has been shown to
642 cause memory corruption that is potentially exploitable with some
643 malloc implementations.
645 Applications that parse and re-encode X509 certificates are known to
646 be vulnerable. Applications that verify RSA signatures on X509
647 certificates may also be vulnerable; however, only certificates with
648 valid signatures trigger ASN.1 re-encoding and hence the
649 bug. Specifically, since OpenSSL's default TLS X509 chain verification
650 code verifies the certificate chain from root to leaf, TLS handshakes
651 could only be targeted with valid certificates issued by trusted
652 Certification Authorities.
654 <advisory url="/news/secadv/20160503.txt"/>
655 <reported source="Huzaifa Sidhpurwala (Red Hat), Hanno Böck, David Benjamin (Google)"/>
657 <issue public="20160503">
658 <impact severity="High"/>
659 <cve name="2016-2107"/>
660 <affects base="1.0.1" version="1.0.1"/>
661 <affects base="1.0.1" version="1.0.1a"/>
662 <affects base="1.0.1" version="1.0.1b"/>
663 <affects base="1.0.1" version="1.0.1c"/>
664 <affects base="1.0.1" version="1.0.1d"/>
665 <affects base="1.0.1" version="1.0.1e"/>
666 <affects base="1.0.1" version="1.0.1f"/>
667 <affects base="1.0.1" version="1.0.1g"/>
668 <affects base="1.0.1" version="1.0.1h"/>
669 <affects base="1.0.1" version="1.0.1i"/>
670 <affects base="1.0.1" version="1.0.1j"/>
671 <affects base="1.0.1" version="1.0.1k"/>
672 <affects base="1.0.1" version="1.0.1l"/>
673 <affects base="1.0.1" version="1.0.1m"/>
674 <affects base="1.0.1" version="1.0.1n"/>
675 <affects base="1.0.1" version="1.0.1o"/>
676 <affects base="1.0.1" version="1.0.1p"/>
677 <affects base="1.0.1" version="1.0.1q"/>
678 <affects base="1.0.1" version="1.0.1r"/>
679 <affects base="1.0.1" version="1.0.1s"/>
680 <affects base="1.0.2" version="1.0.2"/>
681 <affects base="1.0.2" version="1.0.2a"/>
682 <affects base="1.0.2" version="1.0.2b"/>
683 <affects base="1.0.2" version="1.0.2c"/>
684 <affects base="1.0.2" version="1.0.2d"/>
685 <affects base="1.0.2" version="1.0.2e"/>
686 <affects base="1.0.2" version="1.0.2f"/>
687 <affects base="1.0.2" version="1.0.2g"/>
688 <fixed base="1.0.1" version="1.0.1t" date="20160503"/>
689 <fixed base="1.0.2" version="1.0.2h" date="20160503"/>
692 A MITM attacker can use a padding oracle attack to decrypt traffic
693 when the connection uses an AES CBC cipher and the server support
696 This issue was introduced as part of the fix for Lucky 13 padding
697 attack (CVE-2013-0169). The padding check was rewritten to be in
698 constant time by making sure that always the same bytes are read and
699 compared against either the MAC or padding bytes. But it no longer
700 checked that there was enough data to have both the MAC and padding
703 <advisory url="/news/secadv/20160503.txt"/>
704 <reported source="Juraj Somorovsky"/>
706 <issue public="20160503">
707 <impact severity="Low"/>
708 <cve name="2016-2105"/>
709 <affects base="1.0.1" version="1.0.1"/>
710 <affects base="1.0.1" version="1.0.1a"/>
711 <affects base="1.0.1" version="1.0.1b"/>
712 <affects base="1.0.1" version="1.0.1c"/>
713 <affects base="1.0.1" version="1.0.1d"/>
714 <affects base="1.0.1" version="1.0.1e"/>
715 <affects base="1.0.1" version="1.0.1f"/>
716 <affects base="1.0.1" version="1.0.1g"/>
717 <affects base="1.0.1" version="1.0.1h"/>
718 <affects base="1.0.1" version="1.0.1i"/>
719 <affects base="1.0.1" version="1.0.1j"/>
720 <affects base="1.0.1" version="1.0.1k"/>
721 <affects base="1.0.1" version="1.0.1l"/>
722 <affects base="1.0.1" version="1.0.1m"/>
723 <affects base="1.0.1" version="1.0.1n"/>
724 <affects base="1.0.1" version="1.0.1o"/>
725 <affects base="1.0.1" version="1.0.1p"/>
726 <affects base="1.0.1" version="1.0.1q"/>
727 <affects base="1.0.1" version="1.0.1r"/>
728 <affects base="1.0.1" version="1.0.1s"/>
729 <affects base="1.0.2" version="1.0.2"/>
730 <affects base="1.0.2" version="1.0.2a"/>
731 <affects base="1.0.2" version="1.0.2b"/>
732 <affects base="1.0.2" version="1.0.2c"/>
733 <affects base="1.0.2" version="1.0.2d"/>
734 <affects base="1.0.2" version="1.0.2e"/>
735 <affects base="1.0.2" version="1.0.2f"/>
736 <affects base="1.0.2" version="1.0.2g"/>
737 <fixed base="1.0.1" version="1.0.1t" date="20160503"/>
738 <fixed base="1.0.2" version="1.0.2h" date="20160503"/>
741 An overflow can occur in the EVP_EncodeUpdate() function which is used for
742 Base64 encoding of binary data. If an attacker is able to supply very
743 large amounts of input data then a length check can overflow resulting in
746 Internally to OpenSSL the EVP_EncodeUpdate() function is primarly used by the
747 PEM_write_bio* family of functions. These are mainly used within the OpenSSL
748 command line applications. These internal uses are not considered vulnerable
749 because all calls are bounded with length checks so no overflow is possible.
750 User applications that call these APIs directly with large amounts of untrusted
751 data may be vulnerable. (Note: Initial analysis suggested that the
752 PEM_write_bio* were vulnerable, and this is reflected in the patch commit
753 message. This is no longer believed to be the case).
755 <advisory url="/news/secadv/20160503.txt"/>
756 <reported source="Guido Vranken"/>
758 <issue public="20160503">
759 <impact severity="Low"/>
760 <cve name="2016-2106"/>
761 <affects base="1.0.1" version="1.0.1"/>
762 <affects base="1.0.1" version="1.0.1a"/>
763 <affects base="1.0.1" version="1.0.1b"/>
764 <affects base="1.0.1" version="1.0.1c"/>
765 <affects base="1.0.1" version="1.0.1d"/>
766 <affects base="1.0.1" version="1.0.1e"/>
767 <affects base="1.0.1" version="1.0.1f"/>
768 <affects base="1.0.1" version="1.0.1g"/>
769 <affects base="1.0.1" version="1.0.1h"/>
770 <affects base="1.0.1" version="1.0.1i"/>
771 <affects base="1.0.1" version="1.0.1j"/>
772 <affects base="1.0.1" version="1.0.1k"/>
773 <affects base="1.0.1" version="1.0.1l"/>
774 <affects base="1.0.1" version="1.0.1m"/>
775 <affects base="1.0.1" version="1.0.1n"/>
776 <affects base="1.0.1" version="1.0.1o"/>
777 <affects base="1.0.1" version="1.0.1p"/>
778 <affects base="1.0.1" version="1.0.1q"/>
779 <affects base="1.0.1" version="1.0.1r"/>
780 <affects base="1.0.1" version="1.0.1s"/>
781 <affects base="1.0.2" version="1.0.2"/>
782 <affects base="1.0.2" version="1.0.2a"/>
783 <affects base="1.0.2" version="1.0.2b"/>
784 <affects base="1.0.2" version="1.0.2c"/>
785 <affects base="1.0.2" version="1.0.2d"/>
786 <affects base="1.0.2" version="1.0.2e"/>
787 <affects base="1.0.2" version="1.0.2f"/>
788 <affects base="1.0.2" version="1.0.2g"/>
789 <fixed base="1.0.1" version="1.0.1t" date="20160503"/>
790 <fixed base="1.0.2" version="1.0.2h" date="20160503"/>
793 An overflow can occur in the EVP_EncryptUpdate() function. If an attacker
794 is able to supply very large amounts of input data after a previous call
795 to EVP_EncryptUpdate() with a partial block then a length check can
796 overflow resulting in a heap corruption. Following an analysis of all
797 OpenSSL internal usage of the EVP_EncryptUpdate() function all usage is
798 one of two forms. The first form is where the EVP_EncryptUpdate() call is
799 known to be the first called function after an EVP_EncryptInit(), and
800 therefore that specific call must be safe. The second form is where the
801 length passed to EVP_EncryptUpdate() can be seen from the code to be some
802 small value and therefore there is no possibility of an overflow. Since
803 all instances are one of these two forms, it is believed that there can be
804 no overflows in internal code due to this problem. It should be noted that
805 EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths.
806 Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All
807 instances of these calls have also been analysed too and it is believed
808 there are no instances in internal usage where an overflow could occur.
810 This could still represent a security issue for end user code that calls
811 this function directly.
813 <advisory url="/news/secadv/20160503.txt"/>
814 <reported source="Guido Vranken"/>
816 <issue public="20160503">
817 <impact severity="Low"/>
818 <cve name="2016-2109"/>
819 <affects base="1.0.1" version="1.0.1"/>
820 <affects base="1.0.1" version="1.0.1a"/>
821 <affects base="1.0.1" version="1.0.1b"/>
822 <affects base="1.0.1" version="1.0.1c"/>
823 <affects base="1.0.1" version="1.0.1d"/>
824 <affects base="1.0.1" version="1.0.1e"/>
825 <affects base="1.0.1" version="1.0.1f"/>
826 <affects base="1.0.1" version="1.0.1g"/>
827 <affects base="1.0.1" version="1.0.1h"/>
828 <affects base="1.0.1" version="1.0.1i"/>
829 <affects base="1.0.1" version="1.0.1j"/>
830 <affects base="1.0.1" version="1.0.1k"/>
831 <affects base="1.0.1" version="1.0.1l"/>
832 <affects base="1.0.1" version="1.0.1m"/>
833 <affects base="1.0.1" version="1.0.1n"/>
834 <affects base="1.0.1" version="1.0.1o"/>
835 <affects base="1.0.1" version="1.0.1p"/>
836 <affects base="1.0.1" version="1.0.1q"/>
837 <affects base="1.0.1" version="1.0.1r"/>
838 <affects base="1.0.1" version="1.0.1s"/>
839 <affects base="1.0.2" version="1.0.2"/>
840 <affects base="1.0.2" version="1.0.2a"/>
841 <affects base="1.0.2" version="1.0.2b"/>
842 <affects base="1.0.2" version="1.0.2c"/>
843 <affects base="1.0.2" version="1.0.2d"/>
844 <affects base="1.0.2" version="1.0.2e"/>
845 <affects base="1.0.2" version="1.0.2f"/>
846 <affects base="1.0.2" version="1.0.2g"/>
847 <fixed base="1.0.1" version="1.0.1t" date="20160503"/>
848 <fixed base="1.0.2" version="1.0.2h" date="20160503"/>
851 When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
852 a short invalid encoding can casuse allocation of large amounts of memory
853 potentially consuming excessive resources or exhausting memory.
855 Any application parsing untrusted data through d2i BIO functions is
856 affected. The memory based functions such as d2i_X509() are *not*
857 affected. Since the memory based functions are used by the TLS library,
858 TLS applications are not affected.
860 <advisory url="/news/secadv/20160503.txt"/>
861 <reported source="Brian Carpenter"/>
863 <issue public="20160503">
864 <impact severity="Low"/>
865 <cve name="2016-2176"/>
866 <affects base="1.0.1" version="1.0.1"/>
867 <affects base="1.0.1" version="1.0.1a"/>
868 <affects base="1.0.1" version="1.0.1b"/>
869 <affects base="1.0.1" version="1.0.1c"/>
870 <affects base="1.0.1" version="1.0.1d"/>
871 <affects base="1.0.1" version="1.0.1e"/>
872 <affects base="1.0.1" version="1.0.1f"/>
873 <affects base="1.0.1" version="1.0.1g"/>
874 <affects base="1.0.1" version="1.0.1h"/>
875 <affects base="1.0.1" version="1.0.1i"/>
876 <affects base="1.0.1" version="1.0.1j"/>
877 <affects base="1.0.1" version="1.0.1k"/>
878 <affects base="1.0.1" version="1.0.1l"/>
879 <affects base="1.0.1" version="1.0.1m"/>
880 <affects base="1.0.1" version="1.0.1n"/>
881 <affects base="1.0.1" version="1.0.1o"/>
882 <affects base="1.0.1" version="1.0.1p"/>
883 <affects base="1.0.1" version="1.0.1q"/>
884 <affects base="1.0.1" version="1.0.1r"/>
885 <affects base="1.0.1" version="1.0.1s"/>
886 <affects base="1.0.2" version="1.0.2"/>
887 <affects base="1.0.2" version="1.0.2a"/>
888 <affects base="1.0.2" version="1.0.2b"/>
889 <affects base="1.0.2" version="1.0.2c"/>
890 <affects base="1.0.2" version="1.0.2d"/>
891 <affects base="1.0.2" version="1.0.2e"/>
892 <affects base="1.0.2" version="1.0.2f"/>
893 <affects base="1.0.2" version="1.0.2g"/>
894 <fixed base="1.0.1" version="1.0.1t" date="20160503"/>
895 <fixed base="1.0.2" version="1.0.2h" date="20160503"/>
898 ASN1 Strings that are over 1024 bytes can cause an overread in
899 applications using the X509_NAME_oneline() function on EBCDIC systems.
900 This could result in arbitrary stack data being returned in the buffer.
902 <advisory url="/news/secadv/20160503.txt"/>
903 <reported source="Guido Vranken"/>
905 <issue public="20160301">
906 <impact severity="High"/>
907 <cve name="2016-0800"/>
908 <affects base="1.0.1" version="1.0.1"/>
909 <affects base="1.0.1" version="1.0.1a"/>
910 <affects base="1.0.1" version="1.0.1b"/>
911 <affects base="1.0.1" version="1.0.1c"/>
912 <affects base="1.0.1" version="1.0.1d"/>
913 <affects base="1.0.1" version="1.0.1e"/>
914 <affects base="1.0.1" version="1.0.1f"/>
915 <affects base="1.0.1" version="1.0.1g"/>
916 <affects base="1.0.1" version="1.0.1h"/>
917 <affects base="1.0.1" version="1.0.1i"/>
918 <affects base="1.0.1" version="1.0.1j"/>
919 <affects base="1.0.1" version="1.0.1k"/>
920 <affects base="1.0.1" version="1.0.1l"/>
921 <affects base="1.0.1" version="1.0.1m"/>
922 <affects base="1.0.1" version="1.0.1n"/>
923 <affects base="1.0.1" version="1.0.1o"/>
924 <affects base="1.0.1" version="1.0.1p"/>
925 <affects base="1.0.1" version="1.0.1q"/>
926 <affects base="1.0.1" version="1.0.1r"/>
927 <affects base="1.0.2" version="1.0.2"/>
928 <affects base="1.0.2" version="1.0.2a"/>
929 <affects base="1.0.2" version="1.0.2b"/>
930 <affects base="1.0.2" version="1.0.2c"/>
931 <affects base="1.0.2" version="1.0.2d"/>
932 <affects base="1.0.2" version="1.0.2e"/>
933 <affects base="1.0.2" version="1.0.2f"/>
934 <fixed base="1.0.1" version="1.0.1s" date="20160301"/>
935 <fixed base="1.0.2" version="1.0.2g" date="20160301"/>
938 A cross-protocol attack was discovered that could lead to decryption of TLS
939 sessions by using a server supporting SSLv2 and EXPORT cipher suites as a
940 Bleichenbacher RSA padding oracle. Note that traffic between clients and
941 non-vulnerable servers can be decrypted provided another server supporting
942 SSLv2 and EXPORT ciphers (even with a different protocol such as SMTP, IMAP or
943 POP) shares the RSA keys of the non-vulnerable server. This vulnerability is
944 known as DROWN (CVE-2016-0800).
946 Recovering one session key requires the attacker to perform approximately 2^50
947 computation, as well as thousands of connections to the affected server. A more
948 efficient variant of the DROWN attack exists against unpatched OpenSSL servers
949 using versions that predate 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf released on
950 19/Mar/2015 (see CVE-2016-0703 below).
952 Users can avoid this issue by disabling the SSLv2 protocol in all their SSL/TLS
953 servers, if they've not done so already. Disabling all SSLv2 ciphers is also
954 sufficient, provided the patches for CVE-2015-3197 (fixed in OpenSSL 1.0.1r and
955 1.0.2f) have been deployed. Servers that have not disabled the SSLv2 protocol,
956 and are not patched for CVE-2015-3197 are vulnerable to DROWN even if all SSLv2
957 ciphers are nominally disabled, because malicious clients can force the use of
958 SSLv2 with EXPORT ciphers.
960 OpenSSL 1.0.2g and 1.0.1s deploy the following mitigation against DROWN:
962 SSLv2 is now by default disabled at build-time. Builds that are not configured
963 with "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used,
964 users who want to negotiate SSLv2 via the version-flexible SSLv23_method() will
965 need to explicitly call either of:
967 SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
969 SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
971 as appropriate. Even if either of those is used, or the application explicitly
972 uses the version-specific SSLv2_method() or its client or server variants,
973 SSLv2 ciphers vulnerable to exhaustive search key recovery have been removed.
974 Specifically, the SSLv2 40-bit EXPORT ciphers, and SSLv2 56-bit DES are no
977 In addition, weak ciphers in SSLv3 and up are now disabled in default builds of
978 OpenSSL. Builds that are not configured with "enable-weak-ssl-ciphers" will
979 not provide any "EXPORT" or "LOW" strength ciphers.
981 <advisory url="/news/secadv/20160301.txt"/>
982 <reported source="Nimrod Aviram and Sebastian Schinzel"/>
984 <issue public="20160301">
985 <impact severity="Low"/>
986 <cve name="2016-0705"/>
987 <affects base="1.0.1" version="1.0.1"/>
988 <affects base="1.0.1" version="1.0.1a"/>
989 <affects base="1.0.1" version="1.0.1b"/>
990 <affects base="1.0.1" version="1.0.1c"/>
991 <affects base="1.0.1" version="1.0.1d"/>
992 <affects base="1.0.1" version="1.0.1e"/>
993 <affects base="1.0.1" version="1.0.1f"/>
994 <affects base="1.0.1" version="1.0.1g"/>
995 <affects base="1.0.1" version="1.0.1h"/>
996 <affects base="1.0.1" version="1.0.1i"/>
997 <affects base="1.0.1" version="1.0.1j"/>
998 <affects base="1.0.1" version="1.0.1k"/>
999 <affects base="1.0.1" version="1.0.1l"/>
1000 <affects base="1.0.1" version="1.0.1m"/>
1001 <affects base="1.0.1" version="1.0.1n"/>
1002 <affects base="1.0.1" version="1.0.1o"/>
1003 <affects base="1.0.1" version="1.0.1p"/>
1004 <affects base="1.0.1" version="1.0.1q"/>
1005 <affects base="1.0.1" version="1.0.1r"/>
1006 <affects base="1.0.2" version="1.0.2"/>
1007 <affects base="1.0.2" version="1.0.2a"/>
1008 <affects base="1.0.2" version="1.0.2b"/>
1009 <affects base="1.0.2" version="1.0.2c"/>
1010 <affects base="1.0.2" version="1.0.2d"/>
1011 <affects base="1.0.2" version="1.0.2e"/>
1012 <affects base="1.0.2" version="1.0.2f"/>
1013 <fixed base="1.0.1" version="1.0.1s" date="20160301"/>
1014 <fixed base="1.0.2" version="1.0.2g" date="20160301"/>
1017 A double free bug was discovered when OpenSSL parses malformed DSA private keys
1018 and could lead to a DoS attack or memory corruption for applications that
1019 receive DSA private keys from untrusted sources. This scenario is considered
1022 <advisory url="/news/secadv/20160301.txt"/>
1023 <reported source="Adam Langley (Google/BoringSSL)"/>
1025 <issue public="20160301">
1026 <impact severity="Low"/>
1027 <cve name="2016-0798"/>
1028 <affects base="1.0.1" version="1.0.1"/>
1029 <affects base="1.0.1" version="1.0.1a"/>
1030 <affects base="1.0.1" version="1.0.1b"/>
1031 <affects base="1.0.1" version="1.0.1c"/>
1032 <affects base="1.0.1" version="1.0.1d"/>
1033 <affects base="1.0.1" version="1.0.1e"/>
1034 <affects base="1.0.1" version="1.0.1f"/>
1035 <affects base="1.0.1" version="1.0.1g"/>
1036 <affects base="1.0.1" version="1.0.1h"/>
1037 <affects base="1.0.1" version="1.0.1i"/>
1038 <affects base="1.0.1" version="1.0.1j"/>
1039 <affects base="1.0.1" version="1.0.1k"/>
1040 <affects base="1.0.1" version="1.0.1l"/>
1041 <affects base="1.0.1" version="1.0.1m"/>
1042 <affects base="1.0.1" version="1.0.1n"/>
1043 <affects base="1.0.1" version="1.0.1o"/>
1044 <affects base="1.0.1" version="1.0.1p"/>
1045 <affects base="1.0.1" version="1.0.1q"/>
1046 <affects base="1.0.1" version="1.0.1r"/>
1047 <affects base="1.0.2" version="1.0.2"/>
1048 <affects base="1.0.2" version="1.0.2a"/>
1049 <affects base="1.0.2" version="1.0.2b"/>
1050 <affects base="1.0.2" version="1.0.2c"/>
1051 <affects base="1.0.2" version="1.0.2d"/>
1052 <affects base="1.0.2" version="1.0.2e"/>
1053 <affects base="1.0.2" version="1.0.2f"/>
1054 <fixed base="1.0.1" version="1.0.1s" date="20160301"/>
1055 <fixed base="1.0.2" version="1.0.2g" date="20160301"/>
1058 The SRP user database lookup method SRP_VBASE_get_by_user had
1059 confusing memory management semantics; the returned pointer was sometimes newly
1060 allocated, and sometimes owned by the callee. The calling code has no way of
1061 distinguishing these two cases.
1063 Specifically, SRP servers that configure a secret seed to hide valid
1064 login information are vulnerable to a memory leak: an attacker
1065 connecting with an invalid username can cause a memory leak of around
1066 300 bytes per connection. Servers that do not configure SRP, or
1067 configure SRP but do not configure a seed are not vulnerable.
1069 In Apache, the seed directive is known as SSLSRPUnknownUserSeed.
1071 To mitigate the memory leak, the seed handling in
1072 SRP_VBASE_get_by_user is now disabled even if the user has configured
1073 a seed. Applications are advised to migrate to
1074 SRP_VBASE_get1_by_user. However, note that OpenSSL makes no strong
1075 guarantees about the indistinguishability of valid and invalid
1076 logins. In particular, computations are currently not carried out in
1079 <advisory url="/news/secadv/20160301.txt"/>
1080 <reported source="OpenSSL"/>
1082 <issue public="20160301">
1083 <impact severity="Low"/>
1084 <cve name="2016-0797"/>
1085 <affects base="1.0.1" version="1.0.1"/>
1086 <affects base="1.0.1" version="1.0.1a"/>
1087 <affects base="1.0.1" version="1.0.1b"/>
1088 <affects base="1.0.1" version="1.0.1c"/>
1089 <affects base="1.0.1" version="1.0.1d"/>
1090 <affects base="1.0.1" version="1.0.1e"/>
1091 <affects base="1.0.1" version="1.0.1f"/>
1092 <affects base="1.0.1" version="1.0.1g"/>
1093 <affects base="1.0.1" version="1.0.1h"/>
1094 <affects base="1.0.1" version="1.0.1i"/>
1095 <affects base="1.0.1" version="1.0.1j"/>
1096 <affects base="1.0.1" version="1.0.1k"/>
1097 <affects base="1.0.1" version="1.0.1l"/>
1098 <affects base="1.0.1" version="1.0.1m"/>
1099 <affects base="1.0.1" version="1.0.1n"/>
1100 <affects base="1.0.1" version="1.0.1o"/>
1101 <affects base="1.0.1" version="1.0.1p"/>
1102 <affects base="1.0.1" version="1.0.1q"/>
1103 <affects base="1.0.1" version="1.0.1r"/>
1104 <affects base="1.0.2" version="1.0.2"/>
1105 <affects base="1.0.2" version="1.0.2a"/>
1106 <affects base="1.0.2" version="1.0.2b"/>
1107 <affects base="1.0.2" version="1.0.2c"/>
1108 <affects base="1.0.2" version="1.0.2d"/>
1109 <affects base="1.0.2" version="1.0.2e"/>
1110 <affects base="1.0.2" version="1.0.2f"/>
1111 <fixed base="1.0.1" version="1.0.1s" date="20160301"/>
1112 <fixed base="1.0.2" version="1.0.2g" date="20160301"/>
1115 In the BN_hex2bn function the number of hex digits is calculated using an int
1116 value |i|. Later |bn_expand| is called with a value of |i * 4|. For large values
1117 of |i| this can result in |bn_expand| not allocating any memory because |i * 4|
1118 is negative. This can leave the internal BIGNUM data field as NULL leading to a
1119 subsequent NULL ptr deref. For very large values of |i|, the calculation |i * 4|
1120 could be a positive value smaller than |i|. In this case memory is allocated to
1121 the internal BIGNUM data field, but it is insufficiently sized leading to heap
1122 corruption. A similar issue exists in BN_dec2bn. This could have security
1123 consequences if BN_hex2bn/BN_dec2bn is ever called by user applications with
1124 very large untrusted hex/dec data. This is anticipated to be a rare occurrence.
1126 All OpenSSL internal usage of these functions use data that is not expected to
1127 be untrusted, e.g. config file data or application command line arguments. If
1128 user developed applications generate config file data based on untrusted data
1129 then it is possible that this could also lead to security consequences. This is
1130 also anticipated to be rare.
1132 <advisory url="/news/secadv/20160301.txt"/>
1133 <reported source="Guido Vranken"/>
1135 <issue public="20160301">
1136 <impact severity="Low"/>
1137 <cve name="2016-0799"/>
1138 <affects base="1.0.1" version="1.0.1"/>
1139 <affects base="1.0.1" version="1.0.1a"/>
1140 <affects base="1.0.1" version="1.0.1b"/>
1141 <affects base="1.0.1" version="1.0.1c"/>
1142 <affects base="1.0.1" version="1.0.1d"/>
1143 <affects base="1.0.1" version="1.0.1e"/>
1144 <affects base="1.0.1" version="1.0.1f"/>
1145 <affects base="1.0.1" version="1.0.1g"/>
1146 <affects base="1.0.1" version="1.0.1h"/>
1147 <affects base="1.0.1" version="1.0.1i"/>
1148 <affects base="1.0.1" version="1.0.1j"/>
1149 <affects base="1.0.1" version="1.0.1k"/>
1150 <affects base="1.0.1" version="1.0.1l"/>
1151 <affects base="1.0.1" version="1.0.1m"/>
1152 <affects base="1.0.1" version="1.0.1n"/>
1153 <affects base="1.0.1" version="1.0.1o"/>
1154 <affects base="1.0.1" version="1.0.1p"/>
1155 <affects base="1.0.1" version="1.0.1q"/>
1156 <affects base="1.0.1" version="1.0.1r"/>
1157 <affects base="1.0.2" version="1.0.2"/>
1158 <affects base="1.0.2" version="1.0.2a"/>
1159 <affects base="1.0.2" version="1.0.2b"/>
1160 <affects base="1.0.2" version="1.0.2c"/>
1161 <affects base="1.0.2" version="1.0.2d"/>
1162 <affects base="1.0.2" version="1.0.2e"/>
1163 <affects base="1.0.2" version="1.0.2f"/>
1164 <fixed base="1.0.1" version="1.0.1s" date="20160301"/>
1165 <fixed base="1.0.2" version="1.0.2g" date="20160301"/>
1168 The internal |fmtstr| function used in processing a "%s" format string in the
1169 BIO_*printf functions could overflow while calculating the length of a string
1170 and cause an OOB read when printing very long strings.
1172 Additionally the internal |doapr_outch| function can attempt to write to an OOB
1173 memory location (at an offset from the NULL pointer) in the event of a memory
1174 allocation failure. In 1.0.2 and below this could be caused where the size of a
1175 buffer to be allocated is greater than INT_MAX. E.g. this could be in processing
1176 a very long "%s" format string. Memory leaks can also occur.
1178 The first issue may mask the second issue dependent on compiler behaviour.
1179 These problems could enable attacks where large amounts of untrusted data is
1180 passed to the BIO_*printf functions. If applications use these functions in this
1181 way then they could be vulnerable. OpenSSL itself uses these functions when
1182 printing out human-readable dumps of ASN.1 data. Therefore applications that
1183 print this data could be vulnerable if the data is from untrusted sources.
1184 OpenSSL command line applications could also be vulnerable where they print out
1185 ASN.1 data, or if untrusted data is passed as command line arguments.
1187 Libssl is not considered directly vulnerable. Additionally certificates etc
1188 received via remote connections via libssl are also unlikely to be able to
1189 trigger these issues because of message size limits enforced within libssl.
1191 <advisory url="/news/secadv/20160301.txt"/>
1192 <reported source="Guido Vranken"/>
1194 <issue public="20160301">
1195 <impact severity="Low"/>
1196 <cve name="2016-0702"/>
1197 <affects base="1.0.1" version="1.0.1"/>
1198 <affects base="1.0.1" version="1.0.1a"/>
1199 <affects base="1.0.1" version="1.0.1b"/>
1200 <affects base="1.0.1" version="1.0.1c"/>
1201 <affects base="1.0.1" version="1.0.1d"/>
1202 <affects base="1.0.1" version="1.0.1e"/>
1203 <affects base="1.0.1" version="1.0.1f"/>
1204 <affects base="1.0.1" version="1.0.1g"/>
1205 <affects base="1.0.1" version="1.0.1h"/>
1206 <affects base="1.0.1" version="1.0.1i"/>
1207 <affects base="1.0.1" version="1.0.1j"/>
1208 <affects base="1.0.1" version="1.0.1k"/>
1209 <affects base="1.0.1" version="1.0.1l"/>
1210 <affects base="1.0.1" version="1.0.1m"/>
1211 <affects base="1.0.1" version="1.0.1n"/>
1212 <affects base="1.0.1" version="1.0.1o"/>
1213 <affects base="1.0.1" version="1.0.1p"/>
1214 <affects base="1.0.1" version="1.0.1q"/>
1215 <affects base="1.0.1" version="1.0.1r"/>
1216 <affects base="1.0.2" version="1.0.2"/>
1217 <affects base="1.0.2" version="1.0.2a"/>
1218 <affects base="1.0.2" version="1.0.2b"/>
1219 <affects base="1.0.2" version="1.0.2c"/>
1220 <affects base="1.0.2" version="1.0.2d"/>
1221 <affects base="1.0.2" version="1.0.2e"/>
1222 <affects base="1.0.2" version="1.0.2f"/>
1223 <fixed base="1.0.1" version="1.0.1s" date="20160301"/>
1224 <fixed base="1.0.2" version="1.0.2g" date="20160301"/>
1227 A side-channel attack was found which makes use of cache-bank conflicts on the
1228 Intel Sandy-Bridge microarchitecture which could lead to the recovery of RSA
1229 keys. The ability to exploit this issue is limited as it relies on an attacker
1230 who has control of code in a thread running on the same hyper-threaded core as
1231 the victim thread which is performing decryptions.
1233 <advisory url="/news/secadv/20160301.txt"/>
1234 <reported source="Yuval Yarom, The University of Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and Nadia Heninger, University of Pennsylvania"/>
1236 <issue public="20160301">
1237 <impact severity="High"/>
1238 <cve name="2016-0703"/>
1240 <affects base="0.9.8" version="0.9.8"/>
1241 <affects base="0.9.8" version="0.9.8a"/>
1242 <affects base="0.9.8" version="0.9.8b"/>
1243 <affects base="0.9.8" version="0.9.8c"/>
1244 <affects base="0.9.8" version="0.9.8d"/>
1245 <affects base="0.9.8" version="0.9.8e"/>
1246 <affects base="0.9.8" version="0.9.8f"/>
1247 <affects base="0.9.8" version="0.9.8g"/>
1248 <affects base="0.9.8" version="0.9.8h"/>
1249 <affects base="0.9.8" version="0.9.8i"/>
1250 <affects base="0.9.8" version="0.9.8j"/>
1251 <affects base="0.9.8" version="0.9.8k"/>
1252 <affects base="0.9.8" version="0.9.8l"/>
1253 <affects base="0.9.8" version="0.9.8m"/>
1254 <affects base="0.9.8" version="0.9.8n"/>
1255 <affects base="0.9.8" version="0.9.8o"/>
1256 <affects base="0.9.8" version="0.9.8p"/>
1257 <affects base="0.9.8" version="0.9.8q"/>
1258 <affects base="0.9.8" version="0.9.8r"/>
1259 <affects base="0.9.8" version="0.9.8s"/>
1260 <affects base="0.9.8" version="0.9.8t"/>
1261 <affects base="0.9.8" version="0.9.8u"/>
1262 <affects base="0.9.8" version="0.9.8v"/>
1263 <affects base="0.9.8" version="0.9.8w"/>
1264 <affects base="0.9.8" version="0.9.8x"/>
1265 <affects base="0.9.8" version="0.9.8y"/>
1266 <affects base="0.9.8" version="0.9.8za"/>
1267 <affects base="0.9.8" version="0.9.8zb"/>
1268 <affects base="0.9.8" version="0.9.8zc"/>
1269 <affects base="0.9.8" version="0.9.8zd"/>
1270 <affects base="0.9.8" version="0.9.8ze"/>
1271 <affects base="1.0.0" version="1.0.0"/>
1272 <affects base="1.0.0" version="1.0.0a"/>
1273 <affects base="1.0.0" version="1.0.0b"/>
1274 <affects base="1.0.0" version="1.0.0c"/>
1275 <affects base="1.0.0" version="1.0.0d"/>
1276 <affects base="1.0.0" version="1.0.0e"/>
1277 <affects base="1.0.0" version="1.0.0f"/>
1278 <affects base="1.0.0" version="1.0.0g"/>
1279 <affects base="1.0.0" version="1.0.0i"/>
1280 <affects base="1.0.0" version="1.0.0j"/>
1281 <affects base="1.0.0" version="1.0.0k"/>
1282 <affects base="1.0.0" version="1.0.0l"/>
1283 <affects base="1.0.0" version="1.0.0m"/>
1284 <affects base="1.0.0" version="1.0.0n"/>
1285 <affects base="1.0.0" version="1.0.0o"/>
1286 <affects base="1.0.0" version="1.0.0p"/>
1287 <affects base="1.0.0" version="1.0.0q"/>
1288 <affects base="1.0.1" version="1.0.1"/>
1289 <affects base="1.0.1" version="1.0.1a"/>
1290 <affects base="1.0.1" version="1.0.1b"/>
1291 <affects base="1.0.1" version="1.0.1c"/>
1292 <affects base="1.0.1" version="1.0.1d"/>
1293 <affects base="1.0.1" version="1.0.1e"/>
1294 <affects base="1.0.1" version="1.0.1f"/>
1295 <affects base="1.0.1" version="1.0.1g"/>
1296 <affects base="1.0.1" version="1.0.1h"/>
1297 <affects base="1.0.1" version="1.0.1i"/>
1298 <affects base="1.0.1" version="1.0.1j"/>
1299 <affects base="1.0.1" version="1.0.1k"/>
1300 <affects base="1.0.1" version="1.0.1l"/>
1301 <affects base="1.0.2" version="1.0.2"/>
1302 <fixed base="0.9.8" version="0.9.8zf" date="20150319"/>
1303 <fixed base="1.0.0" version="1.0.0r" date="20150319"/>
1304 <fixed base="1.0.1" version="1.0.1m" date="20150319"/>
1305 <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
1308 This issue only affected versions of OpenSSL prior to March 19th 2015 at which
1309 time the code was refactored to address vulnerability CVE-2015-0293.
1311 s2_srvr.c did not enforce that clear-key-length is 0 for non-export ciphers. If
1312 clear-key bytes are present for these ciphers, they *displace* encrypted-key
1313 bytes. This leads to an efficient divide-and-conquer key recovery attack: if an
1314 eavesdropper has intercepted an SSLv2 handshake, they can use the server as an
1315 oracle to determine the SSLv2 master-key, using only 16 connections to the
1316 server and negligible computation.
1318 More importantly, this leads to a more efficient version of DROWN that is
1319 effective against non-export ciphersuites, and requires no significant
1322 <advisory url="/news/secadv/20160301.txt"/>
1323 <reported source="David Adrian and J.Alex Halderman (University of Michigan)"/>
1325 <issue public="20160301">
1326 <impact severity="Moderate"/>
1327 <cve name="2016-0704"/>
1329 <affects base="0.9.8" version="0.9.8"/>
1330 <affects base="0.9.8" version="0.9.8a"/>
1331 <affects base="0.9.8" version="0.9.8b"/>
1332 <affects base="0.9.8" version="0.9.8c"/>
1333 <affects base="0.9.8" version="0.9.8d"/>
1334 <affects base="0.9.8" version="0.9.8e"/>
1335 <affects base="0.9.8" version="0.9.8f"/>
1336 <affects base="0.9.8" version="0.9.8g"/>
1337 <affects base="0.9.8" version="0.9.8h"/>
1338 <affects base="0.9.8" version="0.9.8i"/>
1339 <affects base="0.9.8" version="0.9.8j"/>
1340 <affects base="0.9.8" version="0.9.8k"/>
1341 <affects base="0.9.8" version="0.9.8l"/>
1342 <affects base="0.9.8" version="0.9.8m"/>
1343 <affects base="0.9.8" version="0.9.8n"/>
1344 <affects base="0.9.8" version="0.9.8o"/>
1345 <affects base="0.9.8" version="0.9.8p"/>
1346 <affects base="0.9.8" version="0.9.8q"/>
1347 <affects base="0.9.8" version="0.9.8r"/>
1348 <affects base="0.9.8" version="0.9.8s"/>
1349 <affects base="0.9.8" version="0.9.8t"/>
1350 <affects base="0.9.8" version="0.9.8u"/>
1351 <affects base="0.9.8" version="0.9.8v"/>
1352 <affects base="0.9.8" version="0.9.8w"/>
1353 <affects base="0.9.8" version="0.9.8x"/>
1354 <affects base="0.9.8" version="0.9.8y"/>
1355 <affects base="0.9.8" version="0.9.8za"/>
1356 <affects base="0.9.8" version="0.9.8zb"/>
1357 <affects base="0.9.8" version="0.9.8zc"/>
1358 <affects base="0.9.8" version="0.9.8zd"/>
1359 <affects base="0.9.8" version="0.9.8ze"/>
1360 <affects base="1.0.0" version="1.0.0"/>
1361 <affects base="1.0.0" version="1.0.0a"/>
1362 <affects base="1.0.0" version="1.0.0b"/>
1363 <affects base="1.0.0" version="1.0.0c"/>
1364 <affects base="1.0.0" version="1.0.0d"/>
1365 <affects base="1.0.0" version="1.0.0e"/>
1366 <affects base="1.0.0" version="1.0.0f"/>
1367 <affects base="1.0.0" version="1.0.0g"/>
1368 <affects base="1.0.0" version="1.0.0i"/>
1369 <affects base="1.0.0" version="1.0.0j"/>
1370 <affects base="1.0.0" version="1.0.0k"/>
1371 <affects base="1.0.0" version="1.0.0l"/>
1372 <affects base="1.0.0" version="1.0.0m"/>
1373 <affects base="1.0.0" version="1.0.0n"/>
1374 <affects base="1.0.0" version="1.0.0o"/>
1375 <affects base="1.0.0" version="1.0.0p"/>
1376 <affects base="1.0.0" version="1.0.0q"/>
1377 <affects base="1.0.1" version="1.0.1"/>
1378 <affects base="1.0.1" version="1.0.1a"/>
1379 <affects base="1.0.1" version="1.0.1b"/>
1380 <affects base="1.0.1" version="1.0.1c"/>
1381 <affects base="1.0.1" version="1.0.1d"/>
1382 <affects base="1.0.1" version="1.0.1e"/>
1383 <affects base="1.0.1" version="1.0.1f"/>
1384 <affects base="1.0.1" version="1.0.1g"/>
1385 <affects base="1.0.1" version="1.0.1h"/>
1386 <affects base="1.0.1" version="1.0.1i"/>
1387 <affects base="1.0.1" version="1.0.1j"/>
1388 <affects base="1.0.1" version="1.0.1k"/>
1389 <affects base="1.0.1" version="1.0.1l"/>
1390 <affects base="1.0.2" version="1.0.2"/>
1391 <fixed base="0.9.8" version="0.9.8zf" date="20150319"/>
1392 <fixed base="1.0.0" version="1.0.0r" date="20150319"/>
1393 <fixed base="1.0.1" version="1.0.1m" date="20150319"/>
1394 <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
1397 This issue only affected versions of OpenSSL prior to March 19th 2015 at which
1398 time the code was refactored to address the vulnerability CVE-2015-0293.
1400 s2_srvr.c overwrite the wrong bytes in the master-key when applying
1401 Bleichenbacher protection for export cipher suites. This provides a
1402 Bleichenbacher oracle, and could potentially allow more efficient variants of
1405 <advisory url="/news/secadv/20160301.txt"/>
1406 <reported source="David Adrian and J.Alex Halderman (University of Michigan)"/>
1408 <issue public="20160128">
1409 <impact severity="High"/>
1410 <cve name="2016-0701"/>
1411 <affects base="1.0.2" version="1.0.2"/>
1412 <affects base="1.0.2" version="1.0.2a"/>
1413 <affects base="1.0.2" version="1.0.2b"/>
1414 <affects base="1.0.2" version="1.0.2c"/>
1415 <affects base="1.0.2" version="1.0.2d"/>
1416 <affects base="1.0.2" version="1.0.2e"/>
1417 <fixed base="1.0.2" version="1.0.2f" date="2016-0701"/>
1420 Historically OpenSSL usually only ever generated DH parameters based on "safe"
1421 primes. More recently (in version 1.0.2) support was provided for generating
1422 X9.42 style parameter files such as those required for RFC 5114 support. The
1423 primes used in such files may not be "safe". Where an application is using DH
1424 configured with parameters based on primes that are not "safe" then an attacker
1425 could use this fact to find a peer's private DH exponent. This attack requires
1426 that the attacker complete multiple handshakes in which the peer uses the same
1427 private DH exponent. For example this could be used to discover a TLS server's
1428 private DH exponent if it's reusing the private DH exponent or it's using a
1429 static DH ciphersuite.
1431 OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in TLS.
1432 It is not on by default. If the option is not set then the server reuses the
1433 same private DH exponent for the life of the server process and would be
1434 vulnerable to this attack. It is believed that many popular applications do set
1435 this option and would therefore not be at risk.
1437 OpenSSL before 1.0.2f will reuse the key if:
1438 - SSL_CTX_set_tmp_dh()/SSL_set_tmp_dh() is used and SSL_OP_SINGLE_DH_USE is not
1440 - SSL_CTX_set_tmp_dh_callback()/SSL_set_tmp_dh_callback() is used, and both the
1441 parameters and the key are set and SSL_OP_SINGLE_DH_USE is not used. This is
1442 an undocumted feature and parameter files don't contain the key.
1443 - Static DH ciphersuites are used. The key is part of the certificate and
1444 so it will always reuse it. This is only supported in 1.0.2.
1446 It will not reuse the key for DHE ciphers suites if:
1447 - SSL_OP_SINGLE_DH_USE is set
1448 - SSL_CTX_set_tmp_dh_callback()/SSL_set_tmp_dh_callback() is used and the
1449 callback does not provide the key, only the parameters. The callback is
1450 almost always used like this.
1452 Non-safe primes are generated by OpenSSL when using:
1453 - genpkey with the dh_rfc5114 option. This will write an X9.42 style file
1454 including the prime-order subgroup size "q". This is supported since the 1.0.2
1455 version. Older versions can't read files generated in this way.
1456 - dhparam with the -dsaparam option. This has always been documented as
1457 requiring the single use.
1459 The fix for this issue adds an additional check where a "q" parameter is
1460 available (as is the case in X9.42 based parameters). This detects the
1461 only known attack, and is the only possible defense for static DH ciphersuites.
1462 This could have some performance impact.
1464 Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by default
1465 and cannot be disabled. This could have some performance impact.
1467 <advisory url="/news/secadv/20160128.txt"/>
1468 <reported source="Antonio Sanso (Adobe)"/>
1470 <issue public="20160128">
1471 <impact severity="Low"/>
1472 <cve name="2015-3197"/>
1473 <affects base="1.0.1" version="1.0.1"/>
1474 <affects base="1.0.1" version="1.0.1a"/>
1475 <affects base="1.0.1" version="1.0.1b"/>
1476 <affects base="1.0.1" version="1.0.1c"/>
1477 <affects base="1.0.1" version="1.0.1d"/>
1478 <affects base="1.0.1" version="1.0.1e"/>
1479 <affects base="1.0.1" version="1.0.1f"/>
1480 <affects base="1.0.1" version="1.0.1g"/>
1481 <affects base="1.0.1" version="1.0.1h"/>
1482 <affects base="1.0.1" version="1.0.1i"/>
1483 <affects base="1.0.1" version="1.0.1j"/>
1484 <affects base="1.0.1" version="1.0.1k"/>
1485 <affects base="1.0.1" version="1.0.1l"/>
1486 <affects base="1.0.1" version="1.0.1m"/>
1487 <affects base="1.0.1" version="1.0.1n"/>
1488 <affects base="1.0.1" version="1.0.1o"/>
1489 <affects base="1.0.1" version="1.0.1p"/>
1490 <affects base="1.0.1" version="1.0.1q"/>
1491 <affects base="1.0.2" version="1.0.2"/>
1492 <affects base="1.0.2" version="1.0.2a"/>
1493 <affects base="1.0.2" version="1.0.2b"/>
1494 <affects base="1.0.2" version="1.0.2c"/>
1495 <affects base="1.0.2" version="1.0.2d"/>
1496 <affects base="1.0.2" version="1.0.2e"/>
1497 <fixed base="1.0.1" version="1.0.1r" date="20160128"/>
1498 <fixed base="1.0.2" version="1.0.2f" date="20160128"/>
1501 A malicious client can negotiate SSLv2 ciphers that have been disabled on the
1502 server and complete SSLv2 handshakes even if all SSLv2 ciphers have been
1503 disabled, provided that the SSLv2 protocol was not also disabled via
1506 <advisory url="/news/secadv/20160128.txt"/>
1507 <reported source="Nimrod Aviram and Sebastian Schinzel"/>
1509 <issue public="20150811">
1510 <impact severity="Low"/>
1511 <cve name="2015-1794"/>
1512 <affects base="1.0.2" version="1.0.2"/>
1513 <affects base="1.0.2" version="1.0.2a"/>
1514 <affects base="1.0.2" version="1.0.2b"/>
1515 <affects base="1.0.2" version="1.0.2c"/>
1516 <affects base="1.0.2" version="1.0.2d"/>
1517 <fixed base="1.0.2" version="1.0.2e" date="20151203"/>
1520 If a client receives a ServerKeyExchange for an anonymous DH ciphersuite with
1521 the value of p set to 0 then a seg fault can occur leading to a possible denial
1524 <advisory url="/news/secadv/20151203.txt"/>
1525 <reported source="Guy Leaver (Cisco)"/>
1527 <issue public="20151203">
1528 <cve name="2015-3193"/>
1529 <impact severity="Moderate"/>
1530 <affects base="1.0.2" version="1.0.2"/>
1531 <affects base="1.0.2" version="1.0.2a"/>
1532 <affects base="1.0.2" version="1.0.2b"/>
1533 <affects base="1.0.2" version="1.0.2c"/>
1534 <affects base="1.0.2" version="1.0.2d"/>
1535 <fixed base="1.0.2" version="1.0.2e" date="20151203"/>
1538 There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No
1539 EC algorithms are affected. Analysis suggests that attacks against RSA and DSA
1540 as a result of this defect would be very difficult to perform and are not
1541 believed likely. Attacks against DH are considered just feasible (although very
1542 difficult) because most of the work necessary to deduce information
1543 about a private key may be performed offline. The amount of resources
1544 required for such an attack would be very significant and likely only
1545 accessible to a limited number of attackers. An attacker would
1546 additionally need online access to an unpatched system using the target
1547 private key in a scenario with persistent DH parameters and a private
1548 key that is shared between multiple clients. For example this can occur by
1549 default in OpenSSL DHE based SSL/TLS ciphersuites.
1551 <advisory url="/news/secadv/20151203.txt"/>
1552 <reported source="Hanno Böck"/>
1554 <issue public="20151203">
1555 <cve name="2015-3194"/>
1556 <impact severity="Moderate"/>
1557 <affects base="1.0.1" version="1.0.1"/>
1558 <affects base="1.0.1" version="1.0.1a"/>
1559 <affects base="1.0.1" version="1.0.1b"/>
1560 <affects base="1.0.1" version="1.0.1c"/>
1561 <affects base="1.0.1" version="1.0.1d"/>
1562 <affects base="1.0.1" version="1.0.1e"/>
1563 <affects base="1.0.1" version="1.0.1f"/>
1564 <affects base="1.0.1" version="1.0.1g"/>
1565 <affects base="1.0.1" version="1.0.1h"/>
1566 <affects base="1.0.1" version="1.0.1i"/>
1567 <affects base="1.0.1" version="1.0.1j"/>
1568 <affects base="1.0.1" version="1.0.1k"/>
1569 <affects base="1.0.1" version="1.0.1l"/>
1570 <affects base="1.0.1" version="1.0.1m"/>
1571 <affects base="1.0.1" version="1.0.1n"/>
1572 <affects base="1.0.1" version="1.0.1o"/>
1573 <affects base="1.0.1" version="1.0.1p"/>
1574 <affects base="1.0.2" version="1.0.2"/>
1575 <affects base="1.0.2" version="1.0.2a"/>
1576 <affects base="1.0.2" version="1.0.2b"/>
1577 <affects base="1.0.2" version="1.0.2c"/>
1578 <affects base="1.0.2" version="1.0.2d"/>
1579 <fixed base="1.0.2" version="1.0.2e" date="20151203"/>
1580 <fixed base="1.0.1" version="1.0.1q" date="20151203"/>
1583 The signature verification routines will crash with a NULL pointer dereference
1584 if presented with an ASN.1 signature using the RSA PSS algorithm and absent
1585 mask generation function parameter. Since these routines are used to verify
1586 certificate signature algorithms this can be used to crash any certificate
1587 verification operation and exploited in a DoS attack. Any application which
1588 performs certificate verification is vulnerable including OpenSSL clients and
1589 servers which enable client authentication.
1591 <advisory url="/news/secadv/20151203.txt"/>
1592 <reported source="Loïc Jonas Etienne (Qnective AG)"/>
1594 <issue public="20151203">
1595 <cve name="2015-3195"/>
1596 <impact severity="Moderate"/>
1597 <affects base="0.9.8" version="0.9.8"/>
1598 <affects base="0.9.8" version="0.9.8a"/>
1599 <affects base="0.9.8" version="0.9.8b"/>
1600 <affects base="0.9.8" version="0.9.8c"/>
1601 <affects base="0.9.8" version="0.9.8d"/>
1602 <affects base="0.9.8" version="0.9.8e"/>
1603 <affects base="0.9.8" version="0.9.8f"/>
1604 <affects base="0.9.8" version="0.9.8g"/>
1605 <affects base="0.9.8" version="0.9.8h"/>
1606 <affects base="0.9.8" version="0.9.8i"/>
1607 <affects base="0.9.8" version="0.9.8j"/>
1608 <affects base="0.9.8" version="0.9.8k"/>
1609 <affects base="0.9.8" version="0.9.8l"/>
1610 <affects base="0.9.8" version="0.9.8m"/>
1611 <affects base="0.9.8" version="0.9.8n"/>
1612 <affects base="0.9.8" version="0.9.8o"/>
1613 <affects base="0.9.8" version="0.9.8p"/>
1614 <affects base="0.9.8" version="0.9.8q"/>
1615 <affects base="0.9.8" version="0.9.8r"/>
1616 <affects base="0.9.8" version="0.9.8s"/>
1617 <affects base="0.9.8" version="0.9.8t"/>
1618 <affects base="0.9.8" version="0.9.8u"/>
1619 <affects base="0.9.8" version="0.9.8v"/>
1620 <affects base="0.9.8" version="0.9.8w"/>
1621 <affects base="0.9.8" version="0.9.8x"/>
1622 <affects base="0.9.8" version="0.9.8y"/>
1623 <affects base="0.9.8" version="0.9.8za"/>
1624 <affects base="0.9.8" version="0.9.8zb"/>
1625 <affects base="0.9.8" version="0.9.8zc"/>
1626 <affects base="0.9.8" version="0.9.8zd"/>
1627 <affects base="0.9.8" version="0.9.8ze"/>
1628 <affects base="0.9.8" version="0.9.8zf"/>
1629 <affects base="0.9.8" version="0.9.8zg"/>
1630 <affects base="1.0.0" version="1.0.0"/>
1631 <affects base="1.0.0" version="1.0.0a"/>
1632 <affects base="1.0.0" version="1.0.0b"/>
1633 <affects base="1.0.0" version="1.0.0c"/>
1634 <affects base="1.0.0" version="1.0.0d"/>
1635 <affects base="1.0.0" version="1.0.0e"/>
1636 <affects base="1.0.0" version="1.0.0f"/>
1637 <affects base="1.0.0" version="1.0.0g"/>
1638 <affects base="1.0.0" version="1.0.0h"/>
1639 <affects base="1.0.0" version="1.0.0i"/>
1640 <affects base="1.0.0" version="1.0.0j"/>
1641 <affects base="1.0.0" version="1.0.0k"/>
1642 <affects base="1.0.0" version="1.0.0l"/>
1643 <affects base="1.0.0" version="1.0.0m"/>
1644 <affects base="1.0.0" version="1.0.0n"/>
1645 <affects base="1.0.0" version="1.0.0o"/>
1646 <affects base="1.0.0" version="1.0.0p"/>
1647 <affects base="1.0.0" version="1.0.0q"/>
1648 <affects base="1.0.0" version="1.0.0r"/>
1649 <affects base="1.0.0" version="1.0.0s"/>
1650 <affects base="1.0.1" version="1.0.1"/>
1651 <affects base="1.0.1" version="1.0.1a"/>
1652 <affects base="1.0.1" version="1.0.1b"/>
1653 <affects base="1.0.1" version="1.0.1c"/>
1654 <affects base="1.0.1" version="1.0.1d"/>
1655 <affects base="1.0.1" version="1.0.1e"/>
1656 <affects base="1.0.1" version="1.0.1f"/>
1657 <affects base="1.0.1" version="1.0.1g"/>
1658 <affects base="1.0.1" version="1.0.1h"/>
1659 <affects base="1.0.1" version="1.0.1i"/>
1660 <affects base="1.0.1" version="1.0.1j"/>
1661 <affects base="1.0.1" version="1.0.1k"/>
1662 <affects base="1.0.1" version="1.0.1l"/>
1663 <affects base="1.0.1" version="1.0.1m"/>
1664 <affects base="1.0.1" version="1.0.1n"/>
1665 <affects base="1.0.1" version="1.0.1o"/>
1666 <affects base="1.0.1" version="1.0.1p"/>
1667 <affects base="1.0.2" version="1.0.2"/>
1668 <affects base="1.0.2" version="1.0.2a"/>
1669 <affects base="1.0.2" version="1.0.2b"/>
1670 <affects base="1.0.2" version="1.0.2c"/>
1671 <affects base="1.0.2" version="1.0.2d"/>
1672 <fixed base="1.0.2" version="1.0.2e" date="20151203"/>
1673 <fixed base="1.0.1" version="1.0.1q" date="20151203"/>
1674 <fixed base="1.0.0" version="1.0.0t" date="20151203"/>
1675 <fixed base="0.9.8" version="0.9.8zh" date="20151203"/>
1678 When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak
1679 memory. This structure is used by the PKCS#7 and CMS routines so any
1680 application which reads PKCS#7 or CMS data from untrusted sources is affected.
1681 SSL/TLS is not affected.
1683 <advisory url="/news/secadv/20151203.txt"/>
1684 <reported source="Adam Langley (Google/BoringSSL) using libFuzzer"/>
1686 <issue public="20151203">
1687 <cve name="2015-3196"/>
1688 <impact severity="Low"/>
1689 <affects base="1.0.0" version="1.0.0"/>
1690 <affects base="1.0.0" version="1.0.0a"/>
1691 <affects base="1.0.0" version="1.0.0b"/>
1692 <affects base="1.0.0" version="1.0.0c"/>
1693 <affects base="1.0.0" version="1.0.0d"/>
1694 <affects base="1.0.0" version="1.0.0e"/>
1695 <affects base="1.0.0" version="1.0.0f"/>
1696 <affects base="1.0.0" version="1.0.0g"/>
1697 <affects base="1.0.0" version="1.0.0h"/>
1698 <affects base="1.0.0" version="1.0.0i"/>
1699 <affects base="1.0.0" version="1.0.0j"/>
1700 <affects base="1.0.0" version="1.0.0k"/>
1701 <affects base="1.0.0" version="1.0.0l"/>
1702 <affects base="1.0.0" version="1.0.0m"/>
1703 <affects base="1.0.0" version="1.0.0n"/>
1704 <affects base="1.0.0" version="1.0.0o"/>
1705 <affects base="1.0.0" version="1.0.0p"/>
1706 <affects base="1.0.0" version="1.0.0q"/>
1707 <affects base="1.0.0" version="1.0.0r"/>
1708 <affects base="1.0.0" version="1.0.0s"/>
1709 <affects base="1.0.1" version="1.0.1"/>
1710 <affects base="1.0.1" version="1.0.1a"/>
1711 <affects base="1.0.1" version="1.0.1b"/>
1712 <affects base="1.0.1" version="1.0.1c"/>
1713 <affects base="1.0.1" version="1.0.1d"/>
1714 <affects base="1.0.1" version="1.0.1e"/>
1715 <affects base="1.0.1" version="1.0.1f"/>
1716 <affects base="1.0.1" version="1.0.1g"/>
1717 <affects base="1.0.1" version="1.0.1h"/>
1718 <affects base="1.0.1" version="1.0.1i"/>
1719 <affects base="1.0.1" version="1.0.1j"/>
1720 <affects base="1.0.1" version="1.0.1k"/>
1721 <affects base="1.0.1" version="1.0.1l"/>
1722 <affects base="1.0.1" version="1.0.1m"/>
1723 <affects base="1.0.1" version="1.0.1n"/>
1724 <affects base="1.0.1" version="1.0.1o"/>
1725 <affects base="1.0.2" version="1.0.2"/>
1726 <affects base="1.0.2" version="1.0.2a"/>
1727 <affects base="1.0.2" version="1.0.2b"/>
1728 <affects base="1.0.2" version="1.0.2c"/>
1729 <fixed base="1.0.2" version="1.0.2d" date="20150709"/>
1730 <fixed base="1.0.1" version="1.0.1p" date="20150709"/>
1731 <fixed base="1.0.0" version="1.0.0t" date="20151203"/>
1734 If PSK identity hints are received by a multi-threaded client then
1735 the values are wrongly updated in the parent SSL_CTX structure. This can
1736 result in a race condition potentially leading to a double free of the
1739 <advisory url="/news/secadv/20151203.txt"/>
1740 <reported source="Stephen Henson (OpenSSL)"/>
1743 <issue public="20150709">
1744 <cve name="2015-1793"/>
1745 <impact severity="High"/>
1746 <affects base="1.0.1" version="1.0.1n"/>
1747 <affects base="1.0.1" version="1.0.1o"/>
1748 <affects base="1.0.2" version="1.0.2b"/>
1749 <affects base="1.0.2" version="1.0.2c"/>
1750 <fixed base="1.0.2" version="1.0.2d" date="20150709"/>
1751 <fixed base="1.0.1" version="1.0.1p" date="20150709"/>
1754 An error in the implementation of the alternative certificate
1755 chain logic could allow an attacker to cause certain checks on
1756 untrusted certificates to be bypassed, such as the CA flag,
1757 enabling them to use a valid leaf certificate to act as a CA and
1758 "issue" an invalid certificate.
1760 <advisory url="/news/secadv/20150709.txt"/>
1761 <reported source="Adam Langley and David Benjamin (Google/BoringSSL)"/>
1763 <issue public="20150611">
1764 <cve name="2015-1788"/>
1765 <affects base="0.9.8" version="0.9.8"/>
1766 <affects base="0.9.8" version="0.9.8a"/>
1767 <affects base="0.9.8" version="0.9.8b"/>
1768 <affects base="0.9.8" version="0.9.8c"/>
1769 <affects base="0.9.8" version="0.9.8d"/>
1770 <affects base="0.9.8" version="0.9.8e"/>
1771 <affects base="0.9.8" version="0.9.8f"/>
1772 <affects base="0.9.8" version="0.9.8g"/>
1773 <affects base="0.9.8" version="0.9.8h"/>
1774 <affects base="0.9.8" version="0.9.8i"/>
1775 <affects base="0.9.8" version="0.9.8j"/>
1776 <affects base="0.9.8" version="0.9.8k"/>
1777 <affects base="0.9.8" version="0.9.8l"/>
1778 <affects base="0.9.8" version="0.9.8m"/>
1779 <affects base="0.9.8" version="0.9.8n"/>
1780 <affects base="0.9.8" version="0.9.8o"/>
1781 <affects base="0.9.8" version="0.9.8p"/>
1782 <affects base="0.9.8" version="0.9.8q"/>
1783 <affects base="0.9.8" version="0.9.8r"/>
1784 <affects base="1.0.0" version="1.0.0"/>
1785 <affects base="1.0.0" version="1.0.0a"/>
1786 <affects base="1.0.0" version="1.0.0b"/>
1787 <affects base="1.0.0" version="1.0.0c"/>
1788 <affects base="1.0.0" version="1.0.0d"/>
1789 <affects base="1.0.1" version="1.0.1"/>
1790 <affects base="1.0.1" version="1.0.1a"/>
1791 <affects base="1.0.1" version="1.0.1b"/>
1792 <affects base="1.0.1" version="1.0.1c"/>
1793 <affects base="1.0.1" version="1.0.1d"/>
1794 <affects base="1.0.1" version="1.0.1e"/>
1795 <affects base="1.0.1" version="1.0.1f"/>
1796 <affects base="1.0.1" version="1.0.1g"/>
1797 <affects base="1.0.1" version="1.0.1h"/>
1798 <affects base="1.0.1" version="1.0.1i"/>
1799 <affects base="1.0.1" version="1.0.1j"/>
1800 <affects base="1.0.1" version="1.0.1k"/>
1801 <affects base="1.0.1" version="1.0.1l"/>
1802 <affects base="1.0.1" version="1.0.1m"/>
1803 <affects base="1.0.2" version="1.0.2"/>
1804 <affects base="1.0.2" version="1.0.2a"/>
1805 <fixed base="1.0.2" version="1.0.2b" date="20150611"/>
1806 <fixed base="1.0.1" version="1.0.1n" date="20150611"/>
1807 <fixed base="1.0.0" version="1.0.0e" date="20110906"/>
1808 <fixed base="0.9.8" version="0.9.8s" date="20120104"/>
1811 When processing an ECParameters structure OpenSSL enters an infinite loop if
1812 the curve specified is over a specially malformed binary polynomial field.
1814 This can be used to perform denial of service against any
1815 system which processes public keys, certificate requests or
1816 certificates. This includes TLS clients and TLS servers with
1817 client authentication enabled.
1819 <advisory url="/news/secadv/20150611.txt"/>
1820 <reported source="Joseph Birr-Pixton"/>
1823 <issue public="20150611">
1824 <cve name="2015-1789"/>
1825 <impact severity="Moderate"/>
1826 <affects base="0.9.8" version="0.9.8"/>
1827 <affects base="0.9.8" version="0.9.8a"/>
1828 <affects base="0.9.8" version="0.9.8b"/>
1829 <affects base="0.9.8" version="0.9.8c"/>
1830 <affects base="0.9.8" version="0.9.8d"/>
1831 <affects base="0.9.8" version="0.9.8e"/>
1832 <affects base="0.9.8" version="0.9.8f"/>
1833 <affects base="0.9.8" version="0.9.8g"/>
1834 <affects base="0.9.8" version="0.9.8h"/>
1835 <affects base="0.9.8" version="0.9.8i"/>
1836 <affects base="0.9.8" version="0.9.8j"/>
1837 <affects base="0.9.8" version="0.9.8k"/>
1838 <affects base="0.9.8" version="0.9.8l"/>
1839 <affects base="0.9.8" version="0.9.8m"/>
1840 <affects base="0.9.8" version="0.9.8n"/>
1841 <affects base="0.9.8" version="0.9.8o"/>
1842 <affects base="0.9.8" version="0.9.8p"/>
1843 <affects base="0.9.8" version="0.9.8q"/>
1844 <affects base="0.9.8" version="0.9.8r"/>
1845 <affects base="0.9.8" version="0.9.8s"/>
1846 <affects base="0.9.8" version="0.9.8t"/>
1847 <affects base="0.9.8" version="0.9.8u"/>
1848 <affects base="0.9.8" version="0.9.8v"/>
1849 <affects base="0.9.8" version="0.9.8w"/>
1850 <affects base="0.9.8" version="0.9.8x"/>
1851 <affects base="0.9.8" version="0.9.8y"/>
1852 <affects base="0.9.8" version="0.9.8za"/>
1853 <affects base="0.9.8" version="0.9.8zb"/>
1854 <affects base="0.9.8" version="0.9.8zc"/>
1855 <affects base="0.9.8" version="0.9.8zd"/>
1856 <affects base="0.9.8" version="0.9.8ze"/>
1857 <affects base="0.9.8" version="0.9.8zf"/>
1858 <affects base="1.0.0" version="1.0.0"/>
1859 <affects base="1.0.0" version="1.0.0a"/>
1860 <affects base="1.0.0" version="1.0.0b"/>
1861 <affects base="1.0.0" version="1.0.0c"/>
1862 <affects base="1.0.0" version="1.0.0d"/>
1863 <affects base="1.0.0" version="1.0.0e"/>
1864 <affects base="1.0.0" version="1.0.0f"/>
1865 <affects base="1.0.0" version="1.0.0g"/>
1866 <affects base="1.0.0" version="1.0.0i"/>
1867 <affects base="1.0.0" version="1.0.0j"/>
1868 <affects base="1.0.0" version="1.0.0k"/>
1869 <affects base="1.0.0" version="1.0.0l"/>
1870 <affects base="1.0.0" version="1.0.0m"/>
1871 <affects base="1.0.0" version="1.0.0n"/>
1872 <affects base="1.0.0" version="1.0.0o"/>
1873 <affects base="1.0.0" version="1.0.0p"/>
1874 <affects base="1.0.0" version="1.0.0q"/>
1875 <affects base="1.0.0" version="1.0.0r"/>
1876 <affects base="1.0.1" version="1.0.1"/>
1877 <affects base="1.0.1" version="1.0.1a"/>
1878 <affects base="1.0.1" version="1.0.1b"/>
1879 <affects base="1.0.1" version="1.0.1c"/>
1880 <affects base="1.0.1" version="1.0.1d"/>
1881 <affects base="1.0.1" version="1.0.1e"/>
1882 <affects base="1.0.1" version="1.0.1f"/>
1883 <affects base="1.0.1" version="1.0.1g"/>
1884 <affects base="1.0.1" version="1.0.1h"/>
1885 <affects base="1.0.1" version="1.0.1i"/>
1886 <affects base="1.0.1" version="1.0.1j"/>
1887 <affects base="1.0.1" version="1.0.1k"/>
1888 <affects base="1.0.1" version="1.0.1l"/>
1889 <affects base="1.0.1" version="1.0.1m"/>
1890 <affects base="1.0.2" version="1.0.2"/>
1891 <affects base="1.0.2" version="1.0.2a"/>
1892 <fixed base="1.0.2" version="1.0.2b" date="20150611"/>
1893 <fixed base="1.0.1" version="1.0.1n" date="20150611"/>
1894 <fixed base="1.0.0" version="1.0.0s" date="20150611"/>
1895 <fixed base="0.9.8" version="0.9.8zg" date="20150611"/>
1898 X509_cmp_time does not properly check the length of the ASN1_TIME
1899 string and can read a few bytes out of bounds. In addition,
1900 X509_cmp_time accepts an arbitrary number of fractional seconds in the
1903 An attacker can use this to craft malformed certificates and CRLs of
1904 various sizes and potentially cause a segmentation fault, resulting in
1905 a DoS on applications that verify certificates or CRLs. TLS clients
1906 that verify CRLs are affected. TLS clients and servers with client
1907 authentication enabled may be affected if they use custom verification
1910 <advisory url="/news/secadv/20150611.txt"/>
1911 <reported source="Robert Swiecki (Google) and (independently) Hanno Böck"/>
1914 <issue public="20150611">
1915 <cve name="2015-1790"/>
1916 <impact severity="Moderate"/>
1917 <affects base="0.9.8" version="0.9.8"/>
1918 <affects base="0.9.8" version="0.9.8a"/>
1919 <affects base="0.9.8" version="0.9.8b"/>
1920 <affects base="0.9.8" version="0.9.8c"/>
1921 <affects base="0.9.8" version="0.9.8d"/>
1922 <affects base="0.9.8" version="0.9.8e"/>
1923 <affects base="0.9.8" version="0.9.8f"/>
1924 <affects base="0.9.8" version="0.9.8g"/>
1925 <affects base="0.9.8" version="0.9.8h"/>
1926 <affects base="0.9.8" version="0.9.8i"/>
1927 <affects base="0.9.8" version="0.9.8j"/>
1928 <affects base="0.9.8" version="0.9.8k"/>
1929 <affects base="0.9.8" version="0.9.8l"/>
1930 <affects base="0.9.8" version="0.9.8m"/>
1931 <affects base="0.9.8" version="0.9.8n"/>
1932 <affects base="0.9.8" version="0.9.8o"/>
1933 <affects base="0.9.8" version="0.9.8p"/>
1934 <affects base="0.9.8" version="0.9.8q"/>
1935 <affects base="0.9.8" version="0.9.8r"/>
1936 <affects base="0.9.8" version="0.9.8s"/>
1937 <affects base="0.9.8" version="0.9.8t"/>
1938 <affects base="0.9.8" version="0.9.8u"/>
1939 <affects base="0.9.8" version="0.9.8v"/>
1940 <affects base="0.9.8" version="0.9.8w"/>
1941 <affects base="0.9.8" version="0.9.8x"/>
1942 <affects base="0.9.8" version="0.9.8y"/>
1943 <affects base="0.9.8" version="0.9.8za"/>
1944 <affects base="0.9.8" version="0.9.8zb"/>
1945 <affects base="0.9.8" version="0.9.8zc"/>
1946 <affects base="0.9.8" version="0.9.8zd"/>
1947 <affects base="0.9.8" version="0.9.8ze"/>
1948 <affects base="0.9.8" version="0.9.8zf"/>
1949 <affects base="1.0.0" version="1.0.0"/>
1950 <affects base="1.0.0" version="1.0.0a"/>
1951 <affects base="1.0.0" version="1.0.0b"/>
1952 <affects base="1.0.0" version="1.0.0c"/>
1953 <affects base="1.0.0" version="1.0.0d"/>
1954 <affects base="1.0.0" version="1.0.0e"/>
1955 <affects base="1.0.0" version="1.0.0f"/>
1956 <affects base="1.0.0" version="1.0.0g"/>
1957 <affects base="1.0.0" version="1.0.0i"/>
1958 <affects base="1.0.0" version="1.0.0j"/>
1959 <affects base="1.0.0" version="1.0.0k"/>
1960 <affects base="1.0.0" version="1.0.0l"/>
1961 <affects base="1.0.0" version="1.0.0m"/>
1962 <affects base="1.0.0" version="1.0.0n"/>
1963 <affects base="1.0.0" version="1.0.0o"/>
1964 <affects base="1.0.0" version="1.0.0p"/>
1965 <affects base="1.0.0" version="1.0.0q"/>
1966 <affects base="1.0.0" version="1.0.0r"/>
1967 <affects base="1.0.1" version="1.0.1"/>
1968 <affects base="1.0.1" version="1.0.1a"/>
1969 <affects base="1.0.1" version="1.0.1b"/>
1970 <affects base="1.0.1" version="1.0.1c"/>
1971 <affects base="1.0.1" version="1.0.1d"/>
1972 <affects base="1.0.1" version="1.0.1e"/>
1973 <affects base="1.0.1" version="1.0.1f"/>
1974 <affects base="1.0.1" version="1.0.1g"/>
1975 <affects base="1.0.1" version="1.0.1h"/>
1976 <affects base="1.0.1" version="1.0.1i"/>
1977 <affects base="1.0.1" version="1.0.1j"/>
1978 <affects base="1.0.1" version="1.0.1k"/>
1979 <affects base="1.0.1" version="1.0.1l"/>
1980 <affects base="1.0.1" version="1.0.1m"/>
1981 <affects base="1.0.2" version="1.0.2"/>
1982 <affects base="1.0.2" version="1.0.2a"/>
1983 <fixed base="1.0.2" version="1.0.2b" date="20150611"/>
1984 <fixed base="1.0.1" version="1.0.1n" date="20150611"/>
1985 <fixed base="1.0.0" version="1.0.0s" date="20150611"/>
1986 <fixed base="0.9.8" version="0.9.8zg" date="20150611"/>
1989 The PKCS#7 parsing code does not handle missing inner EncryptedContent
1990 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
1991 with missing content and trigger a NULL pointer dereference on parsing.
1993 Applications that decrypt PKCS#7 data or otherwise parse PKCS#7
1994 structures from untrusted sources are affected. OpenSSL clients and
1995 servers are not affected.
1997 <advisory url="/news/secadv/20150611.txt"/>
1998 <reported source="Michal Zalewski (Google)"/>
2001 <issue public="20150611">
2002 <cve name="2015-1792"/>
2003 <impact severity="Moderate"/>
2004 <affects base="0.9.8" version="0.9.8"/>
2005 <affects base="0.9.8" version="0.9.8a"/>
2006 <affects base="0.9.8" version="0.9.8b"/>
2007 <affects base="0.9.8" version="0.9.8c"/>
2008 <affects base="0.9.8" version="0.9.8d"/>
2009 <affects base="0.9.8" version="0.9.8e"/>
2010 <affects base="0.9.8" version="0.9.8f"/>
2011 <affects base="0.9.8" version="0.9.8g"/>
2012 <affects base="0.9.8" version="0.9.8h"/>
2013 <affects base="0.9.8" version="0.9.8i"/>
2014 <affects base="0.9.8" version="0.9.8j"/>
2015 <affects base="0.9.8" version="0.9.8k"/>
2016 <affects base="0.9.8" version="0.9.8l"/>
2017 <affects base="0.9.8" version="0.9.8m"/>
2018 <affects base="0.9.8" version="0.9.8n"/>
2019 <affects base="0.9.8" version="0.9.8o"/>
2020 <affects base="0.9.8" version="0.9.8p"/>
2021 <affects base="0.9.8" version="0.9.8q"/>
2022 <affects base="0.9.8" version="0.9.8r"/>
2023 <affects base="0.9.8" version="0.9.8s"/>
2024 <affects base="0.9.8" version="0.9.8t"/>
2025 <affects base="0.9.8" version="0.9.8u"/>
2026 <affects base="0.9.8" version="0.9.8v"/>
2027 <affects base="0.9.8" version="0.9.8w"/>
2028 <affects base="0.9.8" version="0.9.8x"/>
2029 <affects base="0.9.8" version="0.9.8y"/>
2030 <affects base="0.9.8" version="0.9.8za"/>
2031 <affects base="0.9.8" version="0.9.8zb"/>
2032 <affects base="0.9.8" version="0.9.8zc"/>
2033 <affects base="0.9.8" version="0.9.8zd"/>
2034 <affects base="0.9.8" version="0.9.8ze"/>
2035 <affects base="0.9.8" version="0.9.8zf"/>
2036 <affects base="1.0.0" version="1.0.0"/>
2037 <affects base="1.0.0" version="1.0.0a"/>
2038 <affects base="1.0.0" version="1.0.0b"/>
2039 <affects base="1.0.0" version="1.0.0c"/>
2040 <affects base="1.0.0" version="1.0.0d"/>
2041 <affects base="1.0.0" version="1.0.0e"/>
2042 <affects base="1.0.0" version="1.0.0f"/>
2043 <affects base="1.0.0" version="1.0.0g"/>
2044 <affects base="1.0.0" version="1.0.0i"/>
2045 <affects base="1.0.0" version="1.0.0j"/>
2046 <affects base="1.0.0" version="1.0.0k"/>
2047 <affects base="1.0.0" version="1.0.0l"/>
2048 <affects base="1.0.0" version="1.0.0m"/>
2049 <affects base="1.0.0" version="1.0.0n"/>
2050 <affects base="1.0.0" version="1.0.0o"/>
2051 <affects base="1.0.0" version="1.0.0p"/>
2052 <affects base="1.0.0" version="1.0.0q"/>
2053 <affects base="1.0.0" version="1.0.0r"/>
2054 <affects base="1.0.1" version="1.0.1"/>
2055 <affects base="1.0.1" version="1.0.1a"/>
2056 <affects base="1.0.1" version="1.0.1b"/>
2057 <affects base="1.0.1" version="1.0.1c"/>
2058 <affects base="1.0.1" version="1.0.1d"/>
2059 <affects base="1.0.1" version="1.0.1e"/>
2060 <affects base="1.0.1" version="1.0.1f"/>
2061 <affects base="1.0.1" version="1.0.1g"/>
2062 <affects base="1.0.1" version="1.0.1h"/>
2063 <affects base="1.0.1" version="1.0.1i"/>
2064 <affects base="1.0.1" version="1.0.1j"/>
2065 <affects base="1.0.1" version="1.0.1k"/>
2066 <affects base="1.0.1" version="1.0.1l"/>
2067 <affects base="1.0.1" version="1.0.1m"/>
2068 <affects base="1.0.2" version="1.0.2"/>
2069 <affects base="1.0.2" version="1.0.2a"/>
2070 <fixed base="1.0.2" version="1.0.2b" date="20150611"/>
2071 <fixed base="1.0.1" version="1.0.1n" date="20150611"/>
2072 <fixed base="1.0.0" version="1.0.0s" date="20150611"/>
2073 <fixed base="0.9.8" version="0.9.8zg" date="20150611"/>
2076 When verifying a signedData message the CMS code can enter an infinite loop
2077 if presented with an unknown hash function OID.
2079 This can be used to perform denial of service against any system which
2080 verifies signedData messages using the CMS code.
2082 <advisory url="/news/secadv/20150611.txt"/>
2083 <reported source="Johannes Bauer"/>
2086 <issue public="20150602">
2087 <cve name="2015-1791"/>
2088 <impact severity="Low"/>
2089 <affects base="0.9.8" version="0.9.8"/>
2090 <affects base="0.9.8" version="0.9.8a"/>
2091 <affects base="0.9.8" version="0.9.8b"/>
2092 <affects base="0.9.8" version="0.9.8c"/>
2093 <affects base="0.9.8" version="0.9.8d"/>
2094 <affects base="0.9.8" version="0.9.8e"/>
2095 <affects base="0.9.8" version="0.9.8f"/>
2096 <affects base="0.9.8" version="0.9.8g"/>
2097 <affects base="0.9.8" version="0.9.8h"/>
2098 <affects base="0.9.8" version="0.9.8i"/>
2099 <affects base="0.9.8" version="0.9.8j"/>
2100 <affects base="0.9.8" version="0.9.8k"/>
2101 <affects base="0.9.8" version="0.9.8l"/>
2102 <affects base="0.9.8" version="0.9.8m"/>
2103 <affects base="0.9.8" version="0.9.8n"/>
2104 <affects base="0.9.8" version="0.9.8o"/>
2105 <affects base="0.9.8" version="0.9.8p"/>
2106 <affects base="0.9.8" version="0.9.8q"/>
2107 <affects base="0.9.8" version="0.9.8r"/>
2108 <affects base="0.9.8" version="0.9.8s"/>
2109 <affects base="0.9.8" version="0.9.8t"/>
2110 <affects base="0.9.8" version="0.9.8u"/>
2111 <affects base="0.9.8" version="0.9.8v"/>
2112 <affects base="0.9.8" version="0.9.8w"/>
2113 <affects base="0.9.8" version="0.9.8x"/>
2114 <affects base="0.9.8" version="0.9.8y"/>
2115 <affects base="0.9.8" version="0.9.8za"/>
2116 <affects base="0.9.8" version="0.9.8zb"/>
2117 <affects base="0.9.8" version="0.9.8zc"/>
2118 <affects base="0.9.8" version="0.9.8zd"/>
2119 <affects base="0.9.8" version="0.9.8ze"/>
2120 <affects base="0.9.8" version="0.9.8zf"/>
2121 <affects base="1.0.0" version="1.0.0"/>
2122 <affects base="1.0.0" version="1.0.0a"/>
2123 <affects base="1.0.0" version="1.0.0b"/>
2124 <affects base="1.0.0" version="1.0.0c"/>
2125 <affects base="1.0.0" version="1.0.0d"/>
2126 <affects base="1.0.0" version="1.0.0e"/>
2127 <affects base="1.0.0" version="1.0.0f"/>
2128 <affects base="1.0.0" version="1.0.0g"/>
2129 <affects base="1.0.0" version="1.0.0i"/>
2130 <affects base="1.0.0" version="1.0.0j"/>
2131 <affects base="1.0.0" version="1.0.0k"/>
2132 <affects base="1.0.0" version="1.0.0l"/>
2133 <affects base="1.0.0" version="1.0.0m"/>
2134 <affects base="1.0.0" version="1.0.0n"/>
2135 <affects base="1.0.0" version="1.0.0o"/>
2136 <affects base="1.0.0" version="1.0.0p"/>
2137 <affects base="1.0.0" version="1.0.0q"/>
2138 <affects base="1.0.0" version="1.0.0r"/>
2139 <affects base="1.0.1" version="1.0.1"/>
2140 <affects base="1.0.1" version="1.0.1a"/>
2141 <affects base="1.0.1" version="1.0.1b"/>
2142 <affects base="1.0.1" version="1.0.1c"/>
2143 <affects base="1.0.1" version="1.0.1d"/>
2144 <affects base="1.0.1" version="1.0.1e"/>
2145 <affects base="1.0.1" version="1.0.1f"/>
2146 <affects base="1.0.1" version="1.0.1g"/>
2147 <affects base="1.0.1" version="1.0.1h"/>
2148 <affects base="1.0.1" version="1.0.1i"/>
2149 <affects base="1.0.1" version="1.0.1j"/>
2150 <affects base="1.0.1" version="1.0.1k"/>
2151 <affects base="1.0.1" version="1.0.1l"/>
2152 <affects base="1.0.1" version="1.0.1m"/>
2153 <affects base="1.0.2" version="1.0.2"/>
2154 <affects base="1.0.2" version="1.0.2a"/>
2155 <fixed base="1.0.2" version="1.0.2b" date="20150611"/>
2156 <fixed base="1.0.1" version="1.0.1n" date="20150611"/>
2157 <fixed base="1.0.0" version="1.0.0s" date="20150611"/>
2158 <fixed base="0.9.8" version="0.9.8zg" date="20150611"/>
2161 If a NewSessionTicket is received by a multi-threaded client when attempting to
2162 reuse a previous ticket then a race condition can occur potentially leading to
2163 a double free of the ticket data.
2165 <advisory url="/news/secadv/20150611.txt"/>
2166 <reported source="Emilia Käsper (OpenSSL)"/>
2169 <issue public="20150611">
2170 <cve name="2014-8176"/>
2171 <impact severity="Moderate"/>
2172 <affects base="0.9.8" version="0.9.8"/>
2173 <affects base="0.9.8" version="0.9.8a"/>
2174 <affects base="0.9.8" version="0.9.8b"/>
2175 <affects base="0.9.8" version="0.9.8c"/>
2176 <affects base="0.9.8" version="0.9.8d"/>
2177 <affects base="0.9.8" version="0.9.8e"/>
2178 <affects base="0.9.8" version="0.9.8f"/>
2179 <affects base="0.9.8" version="0.9.8g"/>
2180 <affects base="0.9.8" version="0.9.8h"/>
2181 <affects base="0.9.8" version="0.9.8i"/>
2182 <affects base="0.9.8" version="0.9.8j"/>
2183 <affects base="0.9.8" version="0.9.8k"/>
2184 <affects base="0.9.8" version="0.9.8l"/>
2185 <affects base="0.9.8" version="0.9.8m"/>
2186 <affects base="0.9.8" version="0.9.8n"/>
2187 <affects base="0.9.8" version="0.9.8o"/>
2188 <affects base="0.9.8" version="0.9.8p"/>
2189 <affects base="0.9.8" version="0.9.8q"/>
2190 <affects base="0.9.8" version="0.9.8r"/>
2191 <affects base="0.9.8" version="0.9.8s"/>
2192 <affects base="0.9.8" version="0.9.8t"/>
2193 <affects base="0.9.8" version="0.9.8u"/>
2194 <affects base="0.9.8" version="0.9.8v"/>
2195 <affects base="0.9.8" version="0.9.8w"/>
2196 <affects base="0.9.8" version="0.9.8x"/>
2197 <affects base="0.9.8" version="0.9.8y"/>
2198 <affects base="1.0.0" version="1.0.0"/>
2199 <affects base="1.0.0" version="1.0.0a"/>
2200 <affects base="1.0.0" version="1.0.0b"/>
2201 <affects base="1.0.0" version="1.0.0c"/>
2202 <affects base="1.0.0" version="1.0.0d"/>
2203 <affects base="1.0.0" version="1.0.0e"/>
2204 <affects base="1.0.0" version="1.0.0f"/>
2205 <affects base="1.0.0" version="1.0.0g"/>
2206 <affects base="1.0.0" version="1.0.0i"/>
2207 <affects base="1.0.0" version="1.0.0j"/>
2208 <affects base="1.0.0" version="1.0.0k"/>
2209 <affects base="1.0.0" version="1.0.0l"/>
2210 <affects base="1.0.1" version="1.0.1"/>
2211 <affects base="1.0.1" version="1.0.1a"/>
2212 <affects base="1.0.1" version="1.0.1b"/>
2213 <affects base="1.0.1" version="1.0.1c"/>
2214 <affects base="1.0.1" version="1.0.1d"/>
2215 <affects base="1.0.1" version="1.0.1e"/>
2216 <affects base="1.0.1" version="1.0.1f"/>
2217 <affects base="1.0.1" version="1.0.1g"/>
2218 <fixed base="1.0.1" version="1.0.1h" date="20140605"/>
2219 <fixed base="1.0.0" version="1.0.0m" date="20140605"/>
2220 <fixed base="0.9.8" version="0.9.8za" date="20140605"/>
2222 This vulnerability does not affect current versions of OpenSSL. It
2223 existed in previous OpenSSL versions and was fixed in June 2014.
2225 If a DTLS peer receives application data between the ChangeCipherSpec
2226 and Finished messages, buffering of such data may cause an invalid
2227 free, resulting in a segmentation fault or potentially, memory
2230 <advisory url="/news/secadv/20150611.txt"/>
2231 <reported source="Praveen Kariyanahalli, and subsequently by Ivan Fratric and Felix Groebert (Google)"/>
2233 <issue public="20150319">
2234 <impact severity="High"/>
2235 <cve name="2015-0291"/>
2236 <affects base="1.0.2" version="1.0.2"/>
2237 <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
2240 ClientHello sigalgs DoS. If a client connects to an OpenSSL 1.0.2 server and renegotiates with an
2241 invalid signature algorithms extension a NULL pointer dereference will occur.
2242 This can be exploited in a DoS attack against the server.
2244 <advisory url="/news/secadv/20150319.txt"/>
2245 <reported source=" David Ramos (Stanford University)"/>
2248 <issue public="20150319">
2249 <cve name="2015-0290"/>
2250 <impact severity="Moderate"/>
2251 <affects base="1.0.2" version="1.0.2"/>
2252 <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
2255 Multiblock corrupted pointer.
2256 OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This feature
2257 only applies on 64 bit x86 architecture platforms that support AES NI
2258 instructions. A defect in the implementation of "multiblock" can cause OpenSSL's
2259 internal write buffer to become incorrectly set to NULL when using non-blocking
2260 IO. Typically, when the user application is using a socket BIO for writing, this
2261 will only result in a failed connection. However if some other BIO is used then
2262 it is likely that a segmentation fault will be triggered, thus enabling a
2263 potential DoS attack.
2265 <advisory url="/news/secadv/20150319.txt"/>
2266 <reported source="Daniel Danner and Rainer Mueller"/>
2269 <issue public="20150319">
2270 <cve name="2015-0207"/>
2271 <impact severity="Moderate"/>
2272 <affects base="1.0.2" version="1.0.2"/>
2273 <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
2276 Segmentation fault in DTLSv1_listen.
2277 A defect in the implementation of DTLSv1_listen means that state is preserved in
2278 the SSL object from one invocation to the next that can lead to a segmentation
2279 fault. Errors processing the initial ClientHello can trigger this scenario. An
2280 example of such an error could be that a DTLS1.0 only client is attempting to
2281 connect to a DTLS1.2 only server.
2283 <advisory url="/news/secadv/20150319.txt"/>
2284 <reported source="Per Allansson"/>
2287 <issue public="20150319">
2288 <cve name="2015-0286"/>
2289 <impact severity="Moderate"/>
2290 <affects base="0.9.8" version="0.9.8zd"/>
2291 <affects base="0.9.8" version="0.9.8ze"/>
2292 <affects base="1.0.0" version="1.0.0"/>
2293 <affects base="1.0.0" version="1.0.0a"/>
2294 <affects base="1.0.0" version="1.0.0b"/>
2295 <affects base="1.0.0" version="1.0.0c"/>
2296 <affects base="1.0.0" version="1.0.0d"/>
2297 <affects base="1.0.0" version="1.0.0e"/>
2298 <affects base="1.0.0" version="1.0.0f"/>
2299 <affects base="1.0.0" version="1.0.0g"/>
2300 <affects base="1.0.0" version="1.0.0i"/>
2301 <affects base="1.0.0" version="1.0.0j"/>
2302 <affects base="1.0.0" version="1.0.0k"/>
2303 <affects base="1.0.0" version="1.0.0l"/>
2304 <affects base="1.0.0" version="1.0.0m"/>
2305 <affects base="1.0.0" version="1.0.0n"/>
2306 <affects base="1.0.0" version="1.0.0o"/>
2307 <affects base="1.0.0" version="1.0.0p"/>
2308 <affects base="1.0.0" version="1.0.0q"/>
2309 <affects base="1.0.1" version="1.0.1"/>
2310 <affects base="1.0.1" version="1.0.1a"/>
2311 <affects base="1.0.1" version="1.0.1b"/>
2312 <affects base="1.0.1" version="1.0.1c"/>
2313 <affects base="1.0.1" version="1.0.1d"/>
2314 <affects base="1.0.1" version="1.0.1e"/>
2315 <affects base="1.0.1" version="1.0.1f"/>
2316 <affects base="1.0.1" version="1.0.1g"/>
2317 <affects base="1.0.1" version="1.0.1h"/>
2318 <affects base="1.0.1" version="1.0.1i"/>
2319 <affects base="1.0.1" version="1.0.1j"/>
2320 <affects base="1.0.1" version="1.0.1k"/>
2321 <affects base="1.0.1" version="1.0.1l"/>
2322 <affects base="1.0.2" version="1.0.2"/>
2323 <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
2324 <fixed base="1.0.1" version="1.0.1m" date="20150319"/>
2325 <fixed base="1.0.0" version="1.0.0r" date="20150319"/>
2326 <fixed base="0.9.8" version="0.9.8zf" date="20150319"/>
2329 Segmentation fault in ASN1_TYPE_cmp.
2330 The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is
2331 made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check
2332 certificate signature algorithm consistency this can be used to crash any
2333 certificate verification operation and exploited in a DoS attack. Any
2334 application which performs certificate verification is vulnerable including
2335 OpenSSL clients and servers which enable client authentication.
2337 <advisory url="/news/secadv/20150319.txt"/>
2338 <reported source="Stephen Henson (OpenSSL development team)"/>
2341 <issue public="20150319">
2342 <cve name="2015-0208"/>
2343 <impact severity="Moderate"/>
2344 <affects base="1.0.2" version="1.0.2"/>
2345 <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
2348 Segmentation fault for invalid PSS parameters.
2349 The signature verification routines will crash with a NULL pointer
2350 dereference if presented with an ASN.1 signature using the RSA PSS
2351 algorithm and invalid parameters. Since these routines are used to verify
2352 certificate signature algorithms this can be used to crash any
2353 certificate verification operation and exploited in a DoS attack. Any
2354 application which performs certificate verification is vulnerable including
2355 OpenSSL clients and servers which enable client authentication.
2357 <advisory url="/news/secadv/20150319.txt"/>
2358 <reported source="Brian Carpenter"/>
2361 <issue public="20150319">
2362 <cve name="2015-0287"/>
2363 <impact severity="Moderate"/>
2364 <affects base="0.9.8" version="0.9.8"/>
2365 <affects base="0.9.8" version="0.9.8a"/>
2366 <affects base="0.9.8" version="0.9.8b"/>
2367 <affects base="0.9.8" version="0.9.8c"/>
2368 <affects base="0.9.8" version="0.9.8d"/>
2369 <affects base="0.9.8" version="0.9.8e"/>
2370 <affects base="0.9.8" version="0.9.8f"/>
2371 <affects base="0.9.8" version="0.9.8g"/>
2372 <affects base="0.9.8" version="0.9.8h"/>
2373 <affects base="0.9.8" version="0.9.8i"/>
2374 <affects base="0.9.8" version="0.9.8j"/>
2375 <affects base="0.9.8" version="0.9.8k"/>
2376 <affects base="0.9.8" version="0.9.8l"/>
2377 <affects base="0.9.8" version="0.9.8m"/>
2378 <affects base="0.9.8" version="0.9.8n"/>
2379 <affects base="0.9.8" version="0.9.8o"/>
2380 <affects base="0.9.8" version="0.9.8p"/>
2381 <affects base="0.9.8" version="0.9.8q"/>
2382 <affects base="0.9.8" version="0.9.8r"/>
2383 <affects base="0.9.8" version="0.9.8s"/>
2384 <affects base="0.9.8" version="0.9.8t"/>
2385 <affects base="0.9.8" version="0.9.8u"/>
2386 <affects base="0.9.8" version="0.9.8v"/>
2387 <affects base="0.9.8" version="0.9.8w"/>
2388 <affects base="0.9.8" version="0.9.8x"/>
2389 <affects base="0.9.8" version="0.9.8y"/>
2390 <affects base="0.9.8" version="0.9.8za"/>
2391 <affects base="0.9.8" version="0.9.8zb"/>
2392 <affects base="0.9.8" version="0.9.8zc"/>
2393 <affects base="0.9.8" version="0.9.8zd"/>
2394 <affects base="0.9.8" version="0.9.8ze"/>
2395 <affects base="1.0.0" version="1.0.0"/>
2396 <affects base="1.0.0" version="1.0.0a"/>
2397 <affects base="1.0.0" version="1.0.0b"/>
2398 <affects base="1.0.0" version="1.0.0c"/>
2399 <affects base="1.0.0" version="1.0.0d"/>
2400 <affects base="1.0.0" version="1.0.0e"/>
2401 <affects base="1.0.0" version="1.0.0f"/>
2402 <affects base="1.0.0" version="1.0.0g"/>
2403 <affects base="1.0.0" version="1.0.0i"/>
2404 <affects base="1.0.0" version="1.0.0j"/>
2405 <affects base="1.0.0" version="1.0.0k"/>
2406 <affects base="1.0.0" version="1.0.0l"/>
2407 <affects base="1.0.0" version="1.0.0m"/>
2408 <affects base="1.0.0" version="1.0.0n"/>
2409 <affects base="1.0.0" version="1.0.0o"/>
2410 <affects base="1.0.0" version="1.0.0p"/>
2411 <affects base="1.0.0" version="1.0.0q"/>
2412 <affects base="1.0.1" version="1.0.1"/>
2413 <affects base="1.0.1" version="1.0.1a"/>
2414 <affects base="1.0.1" version="1.0.1b"/>
2415 <affects base="1.0.1" version="1.0.1c"/>
2416 <affects base="1.0.1" version="1.0.1d"/>
2417 <affects base="1.0.1" version="1.0.1e"/>
2418 <affects base="1.0.1" version="1.0.1f"/>
2419 <affects base="1.0.1" version="1.0.1g"/>
2420 <affects base="1.0.1" version="1.0.1h"/>
2421 <affects base="1.0.1" version="1.0.1i"/>
2422 <affects base="1.0.1" version="1.0.1j"/>
2423 <affects base="1.0.1" version="1.0.1k"/>
2424 <affects base="1.0.1" version="1.0.1l"/>
2425 <affects base="1.0.2" version="1.0.2"/>
2426 <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
2427 <fixed base="1.0.1" version="1.0.1m" date="20150319"/>
2428 <fixed base="1.0.0" version="1.0.0r" date="20150319"/>
2429 <fixed base="0.9.8" version="0.9.8zf" date="20150319"/>
2432 ASN.1 structure reuse memory corruption.
2433 Reusing a structure in ASN.1 parsing may allow an attacker to cause
2434 memory corruption via an invalid write. Such reuse is and has been
2435 strongly discouraged and is believed to be rare.
2437 <advisory url="/news/secadv/20150319.txt"/>
2438 <reported source="Emilia Käsper (OpenSSL development team)"/>
2441 <issue public="20150319">
2442 <cve name="2015-0289"/>
2443 <impact severity="Moderate"/>
2444 <affects base="0.9.8" version="0.9.8"/>
2445 <affects base="0.9.8" version="0.9.8a"/>
2446 <affects base="0.9.8" version="0.9.8b"/>
2447 <affects base="0.9.8" version="0.9.8c"/>
2448 <affects base="0.9.8" version="0.9.8d"/>
2449 <affects base="0.9.8" version="0.9.8e"/>
2450 <affects base="0.9.8" version="0.9.8f"/>
2451 <affects base="0.9.8" version="0.9.8g"/>
2452 <affects base="0.9.8" version="0.9.8h"/>
2453 <affects base="0.9.8" version="0.9.8i"/>
2454 <affects base="0.9.8" version="0.9.8j"/>
2455 <affects base="0.9.8" version="0.9.8k"/>
2456 <affects base="0.9.8" version="0.9.8l"/>
2457 <affects base="0.9.8" version="0.9.8m"/>
2458 <affects base="0.9.8" version="0.9.8n"/>
2459 <affects base="0.9.8" version="0.9.8o"/>
2460 <affects base="0.9.8" version="0.9.8p"/>
2461 <affects base="0.9.8" version="0.9.8q"/>
2462 <affects base="0.9.8" version="0.9.8r"/>
2463 <affects base="0.9.8" version="0.9.8s"/>
2464 <affects base="0.9.8" version="0.9.8t"/>
2465 <affects base="0.9.8" version="0.9.8u"/>
2466 <affects base="0.9.8" version="0.9.8v"/>
2467 <affects base="0.9.8" version="0.9.8w"/>
2468 <affects base="0.9.8" version="0.9.8x"/>
2469 <affects base="0.9.8" version="0.9.8y"/>
2470 <affects base="0.9.8" version="0.9.8za"/>
2471 <affects base="0.9.8" version="0.9.8zb"/>
2472 <affects base="0.9.8" version="0.9.8zc"/>
2473 <affects base="0.9.8" version="0.9.8zd"/>
2474 <affects base="0.9.8" version="0.9.8ze"/>
2475 <affects base="1.0.0" version="1.0.0"/>
2476 <affects base="1.0.0" version="1.0.0a"/>
2477 <affects base="1.0.0" version="1.0.0b"/>
2478 <affects base="1.0.0" version="1.0.0c"/>
2479 <affects base="1.0.0" version="1.0.0d"/>
2480 <affects base="1.0.0" version="1.0.0e"/>
2481 <affects base="1.0.0" version="1.0.0f"/>
2482 <affects base="1.0.0" version="1.0.0g"/>
2483 <affects base="1.0.0" version="1.0.0i"/>
2484 <affects base="1.0.0" version="1.0.0j"/>
2485 <affects base="1.0.0" version="1.0.0k"/>
2486 <affects base="1.0.0" version="1.0.0l"/>
2487 <affects base="1.0.0" version="1.0.0m"/>
2488 <affects base="1.0.0" version="1.0.0n"/>
2489 <affects base="1.0.0" version="1.0.0o"/>
2490 <affects base="1.0.0" version="1.0.0p"/>
2491 <affects base="1.0.0" version="1.0.0q"/>
2492 <affects base="1.0.1" version="1.0.1"/>
2493 <affects base="1.0.1" version="1.0.1a"/>
2494 <affects base="1.0.1" version="1.0.1b"/>
2495 <affects base="1.0.1" version="1.0.1c"/>
2496 <affects base="1.0.1" version="1.0.1d"/>
2497 <affects base="1.0.1" version="1.0.1e"/>
2498 <affects base="1.0.1" version="1.0.1f"/>
2499 <affects base="1.0.1" version="1.0.1g"/>
2500 <affects base="1.0.1" version="1.0.1h"/>
2501 <affects base="1.0.1" version="1.0.1i"/>
2502 <affects base="1.0.1" version="1.0.1j"/>
2503 <affects base="1.0.1" version="1.0.1k"/>
2504 <affects base="1.0.1" version="1.0.1l"/>
2505 <affects base="1.0.2" version="1.0.2"/>
2506 <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
2507 <fixed base="1.0.1" version="1.0.1m" date="20150319"/>
2508 <fixed base="1.0.0" version="1.0.0r" date="20150319"/>
2509 <fixed base="0.9.8" version="0.9.8zf" date="20150319"/>
2512 PKCS#7 NULL pointer dereference.
2513 The PKCS#7 parsing code does not handle missing outer ContentInfo correctly.
2514 An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
2515 missing content and trigger a NULL pointer dereference on parsing.
2516 Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or
2517 otherwise parse PKCS#7 structures from untrusted sources are
2518 affected. OpenSSL clients and servers are not affected.
2520 <advisory url="/news/secadv/20150319.txt"/>
2521 <reported source="Michal Zalewski (Google)"/>
2524 <issue public="20150319">
2525 <cve name="2015-0292"/>
2526 <impact severity="Moderate"/>
2527 <affects base="0.9.8" version="0.9.8"/>
2528 <affects base="0.9.8" version="0.9.8a"/>
2529 <affects base="0.9.8" version="0.9.8b"/>
2530 <affects base="0.9.8" version="0.9.8c"/>
2531 <affects base="0.9.8" version="0.9.8d"/>
2532 <affects base="0.9.8" version="0.9.8e"/>
2533 <affects base="0.9.8" version="0.9.8f"/>
2534 <affects base="0.9.8" version="0.9.8g"/>
2535 <affects base="0.9.8" version="0.9.8h"/>
2536 <affects base="0.9.8" version="0.9.8i"/>
2537 <affects base="0.9.8" version="0.9.8j"/>
2538 <affects base="0.9.8" version="0.9.8k"/>
2539 <affects base="0.9.8" version="0.9.8l"/>
2540 <affects base="0.9.8" version="0.9.8m"/>
2541 <affects base="0.9.8" version="0.9.8n"/>
2542 <affects base="0.9.8" version="0.9.8o"/>
2543 <affects base="0.9.8" version="0.9.8p"/>
2544 <affects base="0.9.8" version="0.9.8q"/>
2545 <affects base="0.9.8" version="0.9.8r"/>
2546 <affects base="0.9.8" version="0.9.8s"/>
2547 <affects base="0.9.8" version="0.9.8t"/>
2548 <affects base="0.9.8" version="0.9.8u"/>
2549 <affects base="0.9.8" version="0.9.8v"/>
2550 <affects base="0.9.8" version="0.9.8w"/>
2551 <affects base="0.9.8" version="0.9.8x"/>
2552 <affects base="0.9.8" version="0.9.8y"/>
2553 <affects base="1.0.0" version="1.0.0"/>
2554 <affects base="1.0.0" version="1.0.0a"/>
2555 <affects base="1.0.0" version="1.0.0b"/>
2556 <affects base="1.0.0" version="1.0.0c"/>
2557 <affects base="1.0.0" version="1.0.0d"/>
2558 <affects base="1.0.0" version="1.0.0e"/>
2559 <affects base="1.0.0" version="1.0.0f"/>
2560 <affects base="1.0.0" version="1.0.0g"/>
2561 <affects base="1.0.0" version="1.0.0i"/>
2562 <affects base="1.0.0" version="1.0.0j"/>
2563 <affects base="1.0.0" version="1.0.0k"/>
2564 <affects base="1.0.0" version="1.0.0l"/>
2565 <affects base="1.0.1" version="1.0.1"/>
2566 <affects base="1.0.1" version="1.0.1a"/>
2567 <affects base="1.0.1" version="1.0.1b"/>
2568 <affects base="1.0.1" version="1.0.1c"/>
2569 <affects base="1.0.1" version="1.0.1d"/>
2570 <affects base="1.0.1" version="1.0.1e"/>
2571 <affects base="1.0.1" version="1.0.1f"/>
2572 <affects base="1.0.1" version="1.0.1g"/>
2573 <fixed base="1.0.1" version="1.0.1h" date="20140605"/>
2574 <fixed base="1.0.0" version="1.0.0m" date="20140605"/>
2575 <fixed base="0.9.8" version="0.9.8za" date="20140605"/>
2578 A vulnerability existed in previous versions of OpenSSL related to the
2579 processing of base64 encoded data. Any code path that reads base64 data from an
2580 untrusted source could be affected (such as the PEM processing routines).
2581 Maliciously crafted base 64 data could trigger a segmenation fault or memory
2584 <advisory url="/news/secadv/20150319.txt"/>
2585 <reported source="Robert Dugal, also David Ramos, also Huzaifa Sidhpurwala (Red Hat)"/>
2588 <issue public="20150319">
2589 <cve name="2015-0293"/>
2590 <impact severity="Moderate"/>
2591 <affects base="0.9.8" version="0.9.8"/>
2592 <affects base="0.9.8" version="0.9.8a"/>
2593 <affects base="0.9.8" version="0.9.8b"/>
2594 <affects base="0.9.8" version="0.9.8c"/>
2595 <affects base="0.9.8" version="0.9.8d"/>
2596 <affects base="0.9.8" version="0.9.8e"/>
2597 <affects base="0.9.8" version="0.9.8f"/>
2598 <affects base="0.9.8" version="0.9.8g"/>
2599 <affects base="0.9.8" version="0.9.8h"/>
2600 <affects base="0.9.8" version="0.9.8i"/>
2601 <affects base="0.9.8" version="0.9.8j"/>
2602 <affects base="0.9.8" version="0.9.8k"/>
2603 <affects base="0.9.8" version="0.9.8l"/>
2604 <affects base="0.9.8" version="0.9.8m"/>
2605 <affects base="0.9.8" version="0.9.8n"/>
2606 <affects base="0.9.8" version="0.9.8o"/>
2607 <affects base="0.9.8" version="0.9.8p"/>
2608 <affects base="0.9.8" version="0.9.8q"/>
2609 <affects base="0.9.8" version="0.9.8r"/>
2610 <affects base="0.9.8" version="0.9.8s"/>
2611 <affects base="0.9.8" version="0.9.8t"/>
2612 <affects base="0.9.8" version="0.9.8u"/>
2613 <affects base="0.9.8" version="0.9.8v"/>
2614 <affects base="0.9.8" version="0.9.8w"/>
2615 <affects base="0.9.8" version="0.9.8x"/>
2616 <affects base="0.9.8" version="0.9.8y"/>
2617 <affects base="0.9.8" version="0.9.8za"/>
2618 <affects base="0.9.8" version="0.9.8zb"/>
2619 <affects base="0.9.8" version="0.9.8zc"/>
2620 <affects base="0.9.8" version="0.9.8zd"/>
2621 <affects base="0.9.8" version="0.9.8ze"/>
2622 <affects base="1.0.0" version="1.0.0"/>
2623 <affects base="1.0.0" version="1.0.0a"/>
2624 <affects base="1.0.0" version="1.0.0b"/>
2625 <affects base="1.0.0" version="1.0.0c"/>
2626 <affects base="1.0.0" version="1.0.0d"/>
2627 <affects base="1.0.0" version="1.0.0e"/>
2628 <affects base="1.0.0" version="1.0.0f"/>
2629 <affects base="1.0.0" version="1.0.0g"/>
2630 <affects base="1.0.0" version="1.0.0i"/>
2631 <affects base="1.0.0" version="1.0.0j"/>
2632 <affects base="1.0.0" version="1.0.0k"/>
2633 <affects base="1.0.0" version="1.0.0l"/>
2634 <affects base="1.0.0" version="1.0.0m"/>
2635 <affects base="1.0.0" version="1.0.0n"/>
2636 <affects base="1.0.0" version="1.0.0o"/>
2637 <affects base="1.0.0" version="1.0.0p"/>
2638 <affects base="1.0.0" version="1.0.0q"/>
2639 <affects base="1.0.1" version="1.0.1"/>
2640 <affects base="1.0.1" version="1.0.1a"/>
2641 <affects base="1.0.1" version="1.0.1b"/>
2642 <affects base="1.0.1" version="1.0.1c"/>
2643 <affects base="1.0.1" version="1.0.1d"/>
2644 <affects base="1.0.1" version="1.0.1e"/>
2645 <affects base="1.0.1" version="1.0.1f"/>
2646 <affects base="1.0.1" version="1.0.1g"/>
2647 <affects base="1.0.1" version="1.0.1h"/>
2648 <affects base="1.0.1" version="1.0.1i"/>
2649 <affects base="1.0.1" version="1.0.1j"/>
2650 <affects base="1.0.1" version="1.0.1k"/>
2651 <affects base="1.0.1" version="1.0.1l"/>
2652 <affects base="1.0.2" version="1.0.2"/>
2653 <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
2654 <fixed base="1.0.1" version="1.0.1m" date="20150319"/>
2655 <fixed base="1.0.0" version="1.0.0r" date="20150319"/>
2656 <fixed base="0.9.8" version="0.9.8zf" date="20150319"/>
2659 DoS via reachable assert in SSLv2 servers.
2660 A malicious client can trigger an OPENSSL_assert in
2661 servers that both support SSLv2 and enable export cipher suites by sending
2662 a specially crafted SSLv2 CLIENT-MASTER-KEY message.
2664 <advisory url="/news/secadv/20150319.txt"/>
2665 <reported source="Sean Burford (Google) and Emilia Käsper (OpenSSL development team)"/>
2668 <issue public="20150319">
2669 <impact severity="Moderate"/>
2670 <cve name="2015-1787"/>
2671 <affects base="1.0.2" version="1.0.2"/>
2672 <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
2675 Empty CKE with client auth and DHE.
2676 If client auth is used then a server can seg fault in the event of a DHE
2677 ciphersuite being selected and a zero length ClientKeyExchange message being
2678 sent by the client. This could be exploited in a DoS attack.
2680 <advisory url="/news/secadv/20150319.txt"/>
2681 <reported source="Matt Caswell (OpenSSL development team)"/>
2684 <issue public="20150310">
2685 <impact severity="Low"/>
2686 <cve name="2015-0285"/>
2687 <affects base="1.0.2" version="1.0.2"/>
2688 <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
2691 Under certain conditions an OpenSSL 1.0.2 client can complete a handshake with
2692 an unseeded PRNG. If the handshake succeeds then the client random that has been used will have
2693 been generated from a PRNG with insufficient entropy and therefore the output
2696 <advisory url="/news/secadv/20150319.txt"/>
2697 <reported source="Matt Caswell (OpenSSL development team)"/>
2700 <issue public="20150319">
2701 <impact severity="Low"/>
2702 <cve name="2015-0209"/>
2703 <affects base="0.9.8" version="0.9.8"/>
2704 <affects base="0.9.8" version="0.9.8a"/>
2705 <affects base="0.9.8" version="0.9.8b"/>
2706 <affects base="0.9.8" version="0.9.8c"/>
2707 <affects base="0.9.8" version="0.9.8d"/>
2708 <affects base="0.9.8" version="0.9.8e"/>
2709 <affects base="0.9.8" version="0.9.8f"/>
2710 <affects base="0.9.8" version="0.9.8g"/>
2711 <affects base="0.9.8" version="0.9.8h"/>
2712 <affects base="0.9.8" version="0.9.8i"/>
2713 <affects base="0.9.8" version="0.9.8j"/>
2714 <affects base="0.9.8" version="0.9.8k"/>
2715 <affects base="0.9.8" version="0.9.8l"/>
2716 <affects base="0.9.8" version="0.9.8m"/>
2717 <affects base="0.9.8" version="0.9.8n"/>
2718 <affects base="0.9.8" version="0.9.8o"/>
2719 <affects base="0.9.8" version="0.9.8p"/>
2720 <affects base="0.9.8" version="0.9.8q"/>
2721 <affects base="0.9.8" version="0.9.8r"/>
2722 <affects base="0.9.8" version="0.9.8s"/>
2723 <affects base="0.9.8" version="0.9.8t"/>
2724 <affects base="0.9.8" version="0.9.8u"/>
2725 <affects base="0.9.8" version="0.9.8v"/>
2726 <affects base="0.9.8" version="0.9.8w"/>
2727 <affects base="0.9.8" version="0.9.8x"/>
2728 <affects base="0.9.8" version="0.9.8y"/>
2729 <affects base="0.9.8" version="0.9.8za"/>
2730 <affects base="0.9.8" version="0.9.8zb"/>
2731 <affects base="0.9.8" version="0.9.8zc"/>
2732 <affects base="0.9.8" version="0.9.8zd"/>
2733 <affects base="0.9.8" version="0.9.8ze"/>
2734 <affects base="1.0.0" version="1.0.0"/>
2735 <affects base="1.0.0" version="1.0.0a"/>
2736 <affects base="1.0.0" version="1.0.0b"/>
2737 <affects base="1.0.0" version="1.0.0c"/>
2738 <affects base="1.0.0" version="1.0.0d"/>
2739 <affects base="1.0.0" version="1.0.0e"/>
2740 <affects base="1.0.0" version="1.0.0f"/>
2741 <affects base="1.0.0" version="1.0.0g"/>
2742 <affects base="1.0.0" version="1.0.0i"/>
2743 <affects base="1.0.0" version="1.0.0j"/>
2744 <affects base="1.0.0" version="1.0.0k"/>
2745 <affects base="1.0.0" version="1.0.0l"/>
2746 <affects base="1.0.0" version="1.0.0m"/>
2747 <affects base="1.0.0" version="1.0.0n"/>
2748 <affects base="1.0.0" version="1.0.0o"/>
2749 <affects base="1.0.0" version="1.0.0p"/>
2750 <affects base="1.0.0" version="1.0.0q"/>
2751 <affects base="1.0.1" version="1.0.1"/>
2752 <affects base="1.0.1" version="1.0.1a"/>
2753 <affects base="1.0.1" version="1.0.1b"/>
2754 <affects base="1.0.1" version="1.0.1c"/>
2755 <affects base="1.0.1" version="1.0.1d"/>
2756 <affects base="1.0.1" version="1.0.1e"/>
2757 <affects base="1.0.1" version="1.0.1f"/>
2758 <affects base="1.0.1" version="1.0.1g"/>
2759 <affects base="1.0.1" version="1.0.1h"/>
2760 <affects base="1.0.1" version="1.0.1i"/>
2761 <affects base="1.0.1" version="1.0.1j"/>
2762 <affects base="1.0.1" version="1.0.1k"/>
2763 <affects base="1.0.1" version="1.0.1l"/>
2764 <affects base="1.0.2" version="1.0.2"/>
2765 <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
2766 <fixed base="1.0.1" version="1.0.1m" date="20150319"/>
2767 <fixed base="1.0.0" version="1.0.0r" date="20150319"/>
2768 <fixed base="0.9.8" version="0.9.8zf" date="20150319"/>
2771 Use After Free following d2i_ECPrivatekey error.
2772 A malformed EC private key file consumed via the d2i_ECPrivateKey function could
2773 cause a use after free condition. This, in turn, could cause a double
2774 free in several private key parsing functions (such as d2i_PrivateKey
2775 or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
2776 for applications that receive EC private keys from untrusted
2777 sources. This scenario is considered rare.
2779 <advisory url="/news/secadv/20150319.txt"/>
2780 <reported source="The BoringSSL project"/>
2783 <issue public="20150302">
2784 <cve name="2015-0288"/>
2785 <impact severity="Low"/>
2786 <affects base="0.9.8" version="0.9.8"/>
2787 <affects base="0.9.8" version="0.9.8a"/>
2788 <affects base="0.9.8" version="0.9.8b"/>
2789 <affects base="0.9.8" version="0.9.8c"/>
2790 <affects base="0.9.8" version="0.9.8d"/>
2791 <affects base="0.9.8" version="0.9.8e"/>
2792 <affects base="0.9.8" version="0.9.8f"/>
2793 <affects base="0.9.8" version="0.9.8g"/>
2794 <affects base="0.9.8" version="0.9.8h"/>
2795 <affects base="0.9.8" version="0.9.8i"/>
2796 <affects base="0.9.8" version="0.9.8j"/>
2797 <affects base="0.9.8" version="0.9.8k"/>
2798 <affects base="0.9.8" version="0.9.8l"/>
2799 <affects base="0.9.8" version="0.9.8m"/>
2800 <affects base="0.9.8" version="0.9.8n"/>
2801 <affects base="0.9.8" version="0.9.8o"/>
2802 <affects base="0.9.8" version="0.9.8p"/>
2803 <affects base="0.9.8" version="0.9.8q"/>
2804 <affects base="0.9.8" version="0.9.8r"/>
2805 <affects base="0.9.8" version="0.9.8s"/>
2806 <affects base="0.9.8" version="0.9.8t"/>
2807 <affects base="0.9.8" version="0.9.8u"/>
2808 <affects base="0.9.8" version="0.9.8v"/>
2809 <affects base="0.9.8" version="0.9.8w"/>
2810 <affects base="0.9.8" version="0.9.8x"/>
2811 <affects base="0.9.8" version="0.9.8y"/>
2812 <affects base="0.9.8" version="0.9.8za"/>
2813 <affects base="0.9.8" version="0.9.8zb"/>
2814 <affects base="0.9.8" version="0.9.8zc"/>
2815 <affects base="0.9.8" version="0.9.8zd"/>
2816 <affects base="0.9.8" version="0.9.8ze"/>
2817 <affects base="1.0.0" version="1.0.0"/>
2818 <affects base="1.0.0" version="1.0.0a"/>
2819 <affects base="1.0.0" version="1.0.0b"/>
2820 <affects base="1.0.0" version="1.0.0c"/>
2821 <affects base="1.0.0" version="1.0.0d"/>
2822 <affects base="1.0.0" version="1.0.0e"/>
2823 <affects base="1.0.0" version="1.0.0f"/>
2824 <affects base="1.0.0" version="1.0.0g"/>
2825 <affects base="1.0.0" version="1.0.0i"/>
2826 <affects base="1.0.0" version="1.0.0j"/>
2827 <affects base="1.0.0" version="1.0.0k"/>
2828 <affects base="1.0.0" version="1.0.0l"/>
2829 <affects base="1.0.0" version="1.0.0m"/>
2830 <affects base="1.0.0" version="1.0.0n"/>
2831 <affects base="1.0.0" version="1.0.0o"/>
2832 <affects base="1.0.0" version="1.0.0p"/>
2833 <affects base="1.0.0" version="1.0.0q"/>
2834 <affects base="1.0.1" version="1.0.1"/>
2835 <affects base="1.0.1" version="1.0.1a"/>
2836 <affects base="1.0.1" version="1.0.1b"/>
2837 <affects base="1.0.1" version="1.0.1c"/>
2838 <affects base="1.0.1" version="1.0.1d"/>
2839 <affects base="1.0.1" version="1.0.1e"/>
2840 <affects base="1.0.1" version="1.0.1f"/>
2841 <affects base="1.0.1" version="1.0.1g"/>
2842 <affects base="1.0.1" version="1.0.1h"/>
2843 <affects base="1.0.1" version="1.0.1i"/>
2844 <affects base="1.0.1" version="1.0.1j"/>
2845 <affects base="1.0.1" version="1.0.1k"/>
2846 <affects base="1.0.1" version="1.0.1l"/>
2847 <affects base="1.0.2" version="1.0.2"/>
2848 <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
2849 <fixed base="1.0.1" version="1.0.1m" date="20150319"/>
2850 <fixed base="1.0.0" version="1.0.0r" date="20150319"/>
2851 <fixed base="0.9.8" version="0.9.8zf" date="20150319"/>
2854 X509_to_X509_REQ NULL pointer deref.
2855 The function X509_to_X509_REQ will crash with a NULL pointer dereference if
2856 the certificate key is invalid. This function is rarely used in practice.
2858 <advisory url="/news/secadv/20150319.txt"/>
2859 <reported source="Brian Carpenter"/>
2862 <issue public="20150108">
2863 <cve name="2015-0206"/>
2864 <affects base="1.0.0" version="1.0.0"/>
2865 <affects base="1.0.0" version="1.0.0a"/>
2866 <affects base="1.0.0" version="1.0.0b"/>
2867 <affects base="1.0.0" version="1.0.0c"/>
2868 <affects base="1.0.0" version="1.0.0d"/>
2869 <affects base="1.0.0" version="1.0.0e"/>
2870 <affects base="1.0.0" version="1.0.0f"/>
2871 <affects base="1.0.0" version="1.0.0g"/>
2872 <affects base="1.0.0" version="1.0.0i"/>
2873 <affects base="1.0.0" version="1.0.0j"/>
2874 <affects base="1.0.0" version="1.0.0k"/>
2875 <affects base="1.0.0" version="1.0.0l"/>
2876 <affects base="1.0.0" version="1.0.0m"/>
2877 <affects base="1.0.0" version="1.0.0n"/>
2878 <affects base="1.0.0" version="1.0.0o"/>
2879 <affects base="1.0.1" version="1.0.1"/>
2880 <affects base="1.0.1" version="1.0.1a"/>
2881 <affects base="1.0.1" version="1.0.1b"/>
2882 <affects base="1.0.1" version="1.0.1c"/>
2883 <affects base="1.0.1" version="1.0.1d"/>
2884 <affects base="1.0.1" version="1.0.1e"/>
2885 <affects base="1.0.1" version="1.0.1f"/>
2886 <affects base="1.0.1" version="1.0.1g"/>
2887 <affects base="1.0.1" version="1.0.1h"/>
2888 <affects base="1.0.1" version="1.0.1i"/>
2889 <affects base="1.0.1" version="1.0.1j"/>
2890 <fixed base="1.0.1" version="1.0.1k" date="20150108"/>
2891 <fixed base="1.0.0" version="1.0.0p" date="20150108"/>
2894 A memory leak can occur in the dtls1_buffer_record function under certain
2895 conditions. In particular this could occur if an attacker sent repeated
2896 DTLS records with the same sequence number but for the next epoch. The
2897 memory leak could be exploited by an attacker in a Denial of Service
2898 attack through memory exhaustion.
2900 <advisory url="/news/secadv/20150108.txt"/>
2901 <reported source="Chris Mueller"/>
2904 <issue public="20141021">
2905 <cve name="2014-3569"/>
2906 <affects base="0.9.8" version="0.9.8zc"/>
2907 <affects base="1.0.0" version="1.0.0o"/>
2908 <affects base="1.0.1" version="1.0.1j"/>
2909 <fixed base="1.0.1" version="1.0.1k" date="20150108"/>
2910 <fixed base="1.0.0" version="1.0.0p" date="20150108"/>
2911 <fixed base="0.9.8" version="0.9.8zd" date="20150108"/>
2914 When openssl is built with the no-ssl3 option and a SSL v3 ClientHello is
2915 received the ssl method would be set to NULL which could later result in
2916 a NULL pointer dereference.
2918 <advisory url="/news/secadv/20150108.txt"/>
2919 <reported source="Frank Schmirler"/>
2922 <issue public="20150105">
2923 <cve name="2014-3572"/>
2924 <affects base="0.9.8" version="0.9.8"/>
2925 <affects base="0.9.8" version="0.9.8a"/>
2926 <affects base="0.9.8" version="0.9.8b"/>
2927 <affects base="0.9.8" version="0.9.8c"/>
2928 <affects base="0.9.8" version="0.9.8d"/>
2929 <affects base="0.9.8" version="0.9.8e"/>
2930 <affects base="0.9.8" version="0.9.8f"/>
2931 <affects base="0.9.8" version="0.9.8g"/>
2932 <affects base="0.9.8" version="0.9.8h"/>
2933 <affects base="0.9.8" version="0.9.8i"/>
2934 <affects base="0.9.8" version="0.9.8j"/>
2935 <affects base="0.9.8" version="0.9.8k"/>
2936 <affects base="0.9.8" version="0.9.8l"/>
2937 <affects base="0.9.8" version="0.9.8m"/>
2938 <affects base="0.9.8" version="0.9.8n"/>
2939 <affects base="0.9.8" version="0.9.8o"/>
2940 <affects base="0.9.8" version="0.9.8p"/>
2941 <affects base="0.9.8" version="0.9.8q"/>
2942 <affects base="0.9.8" version="0.9.8r"/>
2943 <affects base="0.9.8" version="0.9.8s"/>
2944 <affects base="0.9.8" version="0.9.8t"/>
2945 <affects base="0.9.8" version="0.9.8u"/>
2946 <affects base="0.9.8" version="0.9.8v"/>
2947 <affects base="0.9.8" version="0.9.8w"/>
2948 <affects base="0.9.8" version="0.9.8x"/>
2949 <affects base="0.9.8" version="0.9.8y"/>
2950 <affects base="0.9.8" version="0.9.8za"/>
2951 <affects base="0.9.8" version="0.9.8zb"/>
2952 <affects base="0.9.8" version="0.9.8zc"/>
2953 <affects base="1.0.0" version="1.0.0"/>
2954 <affects base="1.0.0" version="1.0.0a"/>
2955 <affects base="1.0.0" version="1.0.0b"/>
2956 <affects base="1.0.0" version="1.0.0c"/>
2957 <affects base="1.0.0" version="1.0.0d"/>
2958 <affects base="1.0.0" version="1.0.0e"/>
2959 <affects base="1.0.0" version="1.0.0f"/>
2960 <affects base="1.0.0" version="1.0.0g"/>
2961 <affects base="1.0.0" version="1.0.0i"/>
2962 <affects base="1.0.0" version="1.0.0j"/>
2963 <affects base="1.0.0" version="1.0.0k"/>
2964 <affects base="1.0.0" version="1.0.0l"/>
2965 <affects base="1.0.0" version="1.0.0m"/>
2966 <affects base="1.0.0" version="1.0.0n"/>
2967 <affects base="1.0.0" version="1.0.0o"/>
2968 <affects base="1.0.1" version="1.0.1"/>
2969 <affects base="1.0.1" version="1.0.1a"/>
2970 <affects base="1.0.1" version="1.0.1b"/>
2971 <affects base="1.0.1" version="1.0.1c"/>
2972 <affects base="1.0.1" version="1.0.1d"/>
2973 <affects base="1.0.1" version="1.0.1e"/>
2974 <affects base="1.0.1" version="1.0.1f"/>
2975 <affects base="1.0.1" version="1.0.1g"/>
2976 <affects base="1.0.1" version="1.0.1h"/>
2977 <affects base="1.0.1" version="1.0.1i"/>
2978 <affects base="1.0.1" version="1.0.1j"/>
2979 <fixed base="1.0.1" version="1.0.1k" date="20150108"/>
2980 <fixed base="1.0.0" version="1.0.0p" date="20150108"/>
2981 <fixed base="0.9.8" version="0.9.8zd" date="20150108"/>
2984 An OpenSSL client will accept a handshake using an ephemeral ECDH
2985 ciphersuite using an ECDSA certificate if the server key exchange message
2986 is omitted. This effectively removes forward secrecy from the ciphersuite.
2988 <advisory url="/news/secadv/20150108.txt"/>
2989 <reported source="Karthikeyan Bhargavan of the PROSECCO team at INRIA"/>
2992 <issue public="20150106">
2993 <cve name="2015-0204"/>
2994 <affects base="0.9.8" version="0.9.8"/>
2995 <affects base="0.9.8" version="0.9.8a"/>
2996 <affects base="0.9.8" version="0.9.8b"/>
2997 <affects base="0.9.8" version="0.9.8c"/>
2998 <affects base="0.9.8" version="0.9.8d"/>
2999 <affects base="0.9.8" version="0.9.8e"/>
3000 <affects base="0.9.8" version="0.9.8f"/>
3001 <affects base="0.9.8" version="0.9.8g"/>
3002 <affects base="0.9.8" version="0.9.8h"/>
3003 <affects base="0.9.8" version="0.9.8i"/>
3004 <affects base="0.9.8" version="0.9.8j"/>
3005 <affects base="0.9.8" version="0.9.8k"/>
3006 <affects base="0.9.8" version="0.9.8l"/>
3007 <affects base="0.9.8" version="0.9.8m"/>
3008 <affects base="0.9.8" version="0.9.8n"/>
3009 <affects base="0.9.8" version="0.9.8o"/>
3010 <affects base="0.9.8" version="0.9.8p"/>
3011 <affects base="0.9.8" version="0.9.8q"/>
3012 <affects base="0.9.8" version="0.9.8r"/>
3013 <affects base="0.9.8" version="0.9.8s"/>
3014 <affects base="0.9.8" version="0.9.8t"/>
3015 <affects base="0.9.8" version="0.9.8u"/>
3016 <affects base="0.9.8" version="0.9.8v"/>
3017 <affects base="0.9.8" version="0.9.8w"/>
3018 <affects base="0.9.8" version="0.9.8x"/>
3019 <affects base="0.9.8" version="0.9.8y"/>
3020 <affects base="0.9.8" version="0.9.8za"/>
3021 <affects base="0.9.8" version="0.9.8zb"/>
3022 <affects base="0.9.8" version="0.9.8zc"/>
3023 <affects base="1.0.0" version="1.0.0"/>
3024 <affects base="1.0.0" version="1.0.0a"/>
3025 <affects base="1.0.0" version="1.0.0b"/>
3026 <affects base="1.0.0" version="1.0.0c"/>
3027 <affects base="1.0.0" version="1.0.0d"/>
3028 <affects base="1.0.0" version="1.0.0e"/>
3029 <affects base="1.0.0" version="1.0.0f"/>
3030 <affects base="1.0.0" version="1.0.0g"/>
3031 <affects base="1.0.0" version="1.0.0i"/>
3032 <affects base="1.0.0" version="1.0.0j"/>
3033 <affects base="1.0.0" version="1.0.0k"/>
3034 <affects base="1.0.0" version="1.0.0l"/>
3035 <affects base="1.0.0" version="1.0.0m"/>
3036 <affects base="1.0.0" version="1.0.0n"/>
3037 <affects base="1.0.0" version="1.0.0o"/>
3038 <affects base="1.0.1" version="1.0.1"/>
3039 <affects base="1.0.1" version="1.0.1a"/>
3040 <affects base="1.0.1" version="1.0.1b"/>
3041 <affects base="1.0.1" version="1.0.1c"/>
3042 <affects base="1.0.1" version="1.0.1d"/>
3043 <affects base="1.0.1" version="1.0.1e"/>
3044 <affects base="1.0.1" version="1.0.1f"/>
3045 <affects base="1.0.1" version="1.0.1g"/>
3046 <affects base="1.0.1" version="1.0.1h"/>
3047 <affects base="1.0.1" version="1.0.1i"/>
3048 <affects base="1.0.1" version="1.0.1j"/>
3049 <fixed base="1.0.1" version="1.0.1k" date="20150108"/>
3050 <fixed base="1.0.0" version="1.0.0p" date="20150108"/>
3051 <fixed base="0.9.8" version="0.9.8zd" date="20150108"/>
3054 An OpenSSL client will accept the use of an RSA temporary key in a
3055 non-export RSA key exchange ciphersuite. A server could present a weak
3056 temporary key and downgrade the security of the session.
3058 <advisory url="/news/secadv/20150108.txt"/>
3059 <reported source="Karthikeyan Bhargavan of the PROSECCO team at INRIA"/>
3062 <issue public="20150108">
3063 <cve name="2015-0205"/>
3064 <affects base="1.0.0" version="1.0.0"/>
3065 <affects base="1.0.0" version="1.0.0a"/>
3066 <affects base="1.0.0" version="1.0.0b"/>
3067 <affects base="1.0.0" version="1.0.0c"/>
3068 <affects base="1.0.0" version="1.0.0d"/>
3069 <affects base="1.0.0" version="1.0.0e"/>
3070 <affects base="1.0.0" version="1.0.0f"/>
3071 <affects base="1.0.0" version="1.0.0g"/>
3072 <affects base="1.0.0" version="1.0.0i"/>
3073 <affects base="1.0.0" version="1.0.0j"/>
3074 <affects base="1.0.0" version="1.0.0k"/>
3075 <affects base="1.0.0" version="1.0.0l"/>
3076 <affects base="1.0.0" version="1.0.0m"/>
3077 <affects base="1.0.0" version="1.0.0n"/>
3078 <affects base="1.0.0" version="1.0.0o"/>
3079 <affects base="1.0.1" version="1.0.1"/>
3080 <affects base="1.0.1" version="1.0.1a"/>
3081 <affects base="1.0.1" version="1.0.1b"/>
3082 <affects base="1.0.1" version="1.0.1c"/>
3083 <affects base="1.0.1" version="1.0.1d"/>
3084 <affects base="1.0.1" version="1.0.1e"/>
3085 <affects base="1.0.1" version="1.0.1f"/>
3086 <affects base="1.0.1" version="1.0.1g"/>
3087 <affects base="1.0.1" version="1.0.1h"/>
3088 <affects base="1.0.1" version="1.0.1i"/>
3089 <affects base="1.0.1" version="1.0.1j"/>
3090 <fixed base="1.0.1" version="1.0.1k" date="20150108"/>
3091 <fixed base="1.0.0" version="1.0.0p" date="20150108"/>
3094 An OpenSSL server will accept a DH certificate for client authentication
3095 without the certificate verify message. This effectively allows a client
3096 to authenticate without the use of a private key. This only affects
3097 servers which trust a client certificate authority which issues
3098 certificates containing DH keys: these are extremely rare and hardly ever
3101 <advisory url="/news/secadv/20150108.txt"/>
3102 <reported source="Karthikeyan Bhargavan of the PROSECCO team at INRIA"/>
3105 <issue public="20150105">
3106 <cve name="2014-8275"/>
3107 <affects base="0.9.8" version="0.9.8"/>
3108 <affects base="0.9.8" version="0.9.8a"/>
3109 <affects base="0.9.8" version="0.9.8b"/>
3110 <affects base="0.9.8" version="0.9.8c"/>
3111 <affects base="0.9.8" version="0.9.8d"/>
3112 <affects base="0.9.8" version="0.9.8e"/>
3113 <affects base="0.9.8" version="0.9.8f"/>
3114 <affects base="0.9.8" version="0.9.8g"/>
3115 <affects base="0.9.8" version="0.9.8h"/>
3116 <affects base="0.9.8" version="0.9.8i"/>
3117 <affects base="0.9.8" version="0.9.8j"/>
3118 <affects base="0.9.8" version="0.9.8k"/>
3119 <affects base="0.9.8" version="0.9.8l"/>
3120 <affects base="0.9.8" version="0.9.8m"/>
3121 <affects base="0.9.8" version="0.9.8n"/>
3122 <affects base="0.9.8" version="0.9.8o"/>
3123 <affects base="0.9.8" version="0.9.8p"/>
3124 <affects base="0.9.8" version="0.9.8q"/>
3125 <affects base="0.9.8" version="0.9.8r"/>
3126 <affects base="0.9.8" version="0.9.8s"/>
3127 <affects base="0.9.8" version="0.9.8t"/>
3128 <affects base="0.9.8" version="0.9.8u"/>
3129 <affects base="0.9.8" version="0.9.8v"/>
3130 <affects base="0.9.8" version="0.9.8w"/>
3131 <affects base="0.9.8" version="0.9.8x"/>
3132 <affects base="0.9.8" version="0.9.8y"/>
3133 <affects base="0.9.8" version="0.9.8za"/>
3134 <affects base="0.9.8" version="0.9.8zb"/>
3135 <affects base="0.9.8" version="0.9.8zc"/>
3136 <affects base="1.0.0" version="1.0.0"/>
3137 <affects base="1.0.0" version="1.0.0a"/>
3138 <affects base="1.0.0" version="1.0.0b"/>
3139 <affects base="1.0.0" version="1.0.0c"/>
3140 <affects base="1.0.0" version="1.0.0d"/>
3141 <affects base="1.0.0" version="1.0.0e"/>
3142 <affects base="1.0.0" version="1.0.0f"/>
3143 <affects base="1.0.0" version="1.0.0g"/>
3144 <affects base="1.0.0" version="1.0.0i"/>
3145 <affects base="1.0.0" version="1.0.0j"/>
3146 <affects base="1.0.0" version="1.0.0k"/>
3147 <affects base="1.0.0" version="1.0.0l"/>
3148 <affects base="1.0.0" version="1.0.0m"/>
3149 <affects base="1.0.0" version="1.0.0n"/>
3150 <affects base="1.0.0" version="1.0.0o"/>
3151 <affects base="1.0.1" version="1.0.1"/>
3152 <affects base="1.0.1" version="1.0.1a"/>
3153 <affects base="1.0.1" version="1.0.1b"/>
3154 <affects base="1.0.1" version="1.0.1c"/>
3155 <affects base="1.0.1" version="1.0.1d"/>
3156 <affects base="1.0.1" version="1.0.1e"/>
3157 <affects base="1.0.1" version="1.0.1f"/>
3158 <affects base="1.0.1" version="1.0.1g"/>
3159 <affects base="1.0.1" version="1.0.1h"/>
3160 <affects base="1.0.1" version="1.0.1i"/>
3161 <affects base="1.0.1" version="1.0.1j"/>
3162 <fixed base="1.0.1" version="1.0.1k" date="20150108"/>
3163 <fixed base="1.0.0" version="1.0.0p" date="20150108"/>
3164 <fixed base="0.9.8" version="0.9.8zd" date="20150108"/>
3167 OpenSSL accepts several non-DER-variations of certificate signature
3168 algorithm and signature encodings. OpenSSL also does not enforce a
3169 match between the signature algorithm between the signed and unsigned
3170 portions of the certificate. By modifying the contents of the
3171 signature algorithm or the encoding of the signature, it is possible
3172 to change the certificate's fingerprint.
3174 This does not allow an attacker to forge certificates, and does not
3175 affect certificate verification or OpenSSL servers/clients in any other
3176 way. It also does not affect common revocation mechanisms. Only custom
3177 applications that rely on the uniqueness of the fingerprint (e.g.
3178 certificate blacklists) may be affected.
3180 <advisory url="/news/secadv/20150108.txt"/>
3181 <reported source="Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS program/Konrad Kraszewski from Google"/>
3184 <issue public="20150108">
3185 <cve name="2014-3570"/>
3186 <affects base="0.9.8" version="0.9.8"/>
3187 <affects base="0.9.8" version="0.9.8a"/>
3188 <affects base="0.9.8" version="0.9.8b"/>
3189 <affects base="0.9.8" version="0.9.8c"/>
3190 <affects base="0.9.8" version="0.9.8d"/>
3191 <affects base="0.9.8" version="0.9.8e"/>
3192 <affects base="0.9.8" version="0.9.8f"/>
3193 <affects base="0.9.8" version="0.9.8g"/>
3194 <affects base="0.9.8" version="0.9.8h"/>
3195 <affects base="0.9.8" version="0.9.8i"/>
3196 <affects base="0.9.8" version="0.9.8j"/>
3197 <affects base="0.9.8" version="0.9.8k"/>
3198 <affects base="0.9.8" version="0.9.8l"/>
3199 <affects base="0.9.8" version="0.9.8m"/>
3200 <affects base="0.9.8" version="0.9.8n"/>
3201 <affects base="0.9.8" version="0.9.8o"/>
3202 <affects base="0.9.8" version="0.9.8p"/>
3203 <affects base="0.9.8" version="0.9.8q"/>
3204 <affects base="0.9.8" version="0.9.8r"/>
3205 <affects base="0.9.8" version="0.9.8s"/>
3206 <affects base="0.9.8" version="0.9.8t"/>
3207 <affects base="0.9.8" version="0.9.8u"/>
3208 <affects base="0.9.8" version="0.9.8v"/>
3209 <affects base="0.9.8" version="0.9.8w"/>
3210 <affects base="0.9.8" version="0.9.8x"/>
3211 <affects base="0.9.8" version="0.9.8y"/>
3212 <affects base="0.9.8" version="0.9.8za"/>
3213 <affects base="0.9.8" version="0.9.8zb"/>
3214 <affects base="0.9.8" version="0.9.8zc"/>
3215 <affects base="1.0.0" version="1.0.0"/>
3216 <affects base="1.0.0" version="1.0.0a"/>
3217 <affects base="1.0.0" version="1.0.0b"/>
3218 <affects base="1.0.0" version="1.0.0c"/>
3219 <affects base="1.0.0" version="1.0.0d"/>
3220 <affects base="1.0.0" version="1.0.0e"/>
3221 <affects base="1.0.0" version="1.0.0f"/>
3222 <affects base="1.0.0" version="1.0.0g"/>
3223 <affects base="1.0.0" version="1.0.0i"/>
3224 <affects base="1.0.0" version="1.0.0j"/>
3225 <affects base="1.0.0" version="1.0.0k"/>
3226 <affects base="1.0.0" version="1.0.0l"/>
3227 <affects base="1.0.0" version="1.0.0m"/>
3228 <affects base="1.0.0" version="1.0.0n"/>
3229 <affects base="1.0.0" version="1.0.0o"/>
3230 <affects base="1.0.1" version="1.0.1"/>
3231 <affects base="1.0.1" version="1.0.1a"/>
3232 <affects base="1.0.1" version="1.0.1b"/>
3233 <affects base="1.0.1" version="1.0.1c"/>
3234 <affects base="1.0.1" version="1.0.1d"/>
3235 <affects base="1.0.1" version="1.0.1e"/>
3236 <affects base="1.0.1" version="1.0.1f"/>
3237 <affects base="1.0.1" version="1.0.1g"/>
3238 <affects base="1.0.1" version="1.0.1h"/>
3239 <affects base="1.0.1" version="1.0.1i"/>
3240 <affects base="1.0.1" version="1.0.1j"/>
3241 <fixed base="1.0.1" version="1.0.1k" date="20150108"/>
3242 <fixed base="1.0.0" version="1.0.0p" date="20150108"/>
3243 <fixed base="0.9.8" version="0.9.8zd" date="20150108"/>
3246 Bignum squaring (BN_sqr) may produce incorrect results on some platforms,
3247 including x86_64. This bug occurs at random with a very low probability,
3248 and is not known to be exploitable in any way, though its exact impact is
3249 difficult to determine. The following has been determined:
3251 *) The probability of BN_sqr producing an incorrect result at random is
3252 very low: 1/2^64 on the single affected 32-bit platform (MIPS) and 1/2^128
3253 on affected 64-bit platforms.
3254 *) On most platforms, RSA follows a different code path and RSA operations
3255 are not affected at all. For the remaining platforms (e.g. OpenSSL built
3256 without assembly support), pre-existing countermeasures thwart bug
3258 *) Static ECDH is theoretically affected: it is possible to construct
3259 elliptic curve points that would falsely appear to be on the given curve.
3260 However, there is no known computationally feasible way to construct such
3261 points with low order, and so the security of static ECDH private keys is
3262 believed to be unaffected.
3263 *) Other routines known to be theoretically affected are modular
3264 exponentiation, primality testing, DSA, RSA blinding, JPAKE and SRP. No
3265 exploits are known and straightforward bug attacks fail - either the
3266 attacker cannot control when the bug triggers, or no private key material
3269 <advisory url="/news/secadv/20150108.txt"/>
3270 <reported source="Pieter Wuille (Blockstream)"/>
3273 <issue public="20141015">
3274 <cve name="2014-3513"/>
3275 <affects base="1.0.1" version="1.0.1"/>
3276 <affects base="1.0.1" version="1.0.1a"/>
3277 <affects base="1.0.1" version="1.0.1b"/>
3278 <affects base="1.0.1" version="1.0.1c"/>
3279 <affects base="1.0.1" version="1.0.1d"/>
3280 <affects base="1.0.1" version="1.0.1e"/>
3281 <affects base="1.0.1" version="1.0.1f"/>
3282 <affects base="1.0.1" version="1.0.1g"/>
3283 <affects base="1.0.1" version="1.0.1h"/>
3284 <affects base="1.0.1" version="1.0.1i"/>
3285 <fixed base="1.0.1" version="1.0.1j" date="20141015"/>
3287 A flaw in the DTLS SRTP extension parsing code allows an attacker, who
3288 sends a carefully crafted handshake message, to cause OpenSSL to fail
3289 to free up to 64k of memory causing a memory leak. This could be
3290 exploited in a Denial Of Service attack. This issue affects OpenSSL
3291 1.0.1 server implementations for both SSL/TLS and DTLS regardless of
3292 whether SRTP is used or configured. Implementations of OpenSSL that
3293 have been compiled with OPENSSL_NO_SRTP defined are not affected.
3295 <advisory url="/news/secadv/20141015.txt"/>
3296 <reported source="LibreSSL project"/>
3299 <issue public="20141015">
3300 <cve name="2014-3567"/>
3301 <affects base="0.9.8" version="0.9.8g"/>
3302 <affects base="0.9.8" version="0.9.8h"/>
3303 <affects base="0.9.8" version="0.9.8i"/>
3304 <affects base="0.9.8" version="0.9.8j"/>
3305 <affects base="0.9.8" version="0.9.8k"/>
3306 <affects base="0.9.8" version="0.9.8l"/>
3307 <affects base="0.9.8" version="0.9.8m"/>
3308 <affects base="0.9.8" version="0.9.8n"/>
3309 <affects base="0.9.8" version="0.9.8o"/>
3310 <affects base="0.9.8" version="0.9.8p"/>
3311 <affects base="0.9.8" version="0.9.8q"/>
3312 <affects base="0.9.8" version="0.9.8r"/>
3313 <affects base="0.9.8" version="0.9.8s"/>
3314 <affects base="0.9.8" version="0.9.8t"/>
3315 <affects base="0.9.8" version="0.9.8u"/>
3316 <affects base="0.9.8" version="0.9.8v"/>
3317 <affects base="0.9.8" version="0.9.8w"/>
3318 <affects base="0.9.8" version="0.9.8x"/>
3319 <affects base="0.9.8" version="0.9.8y"/>
3320 <affects base="0.9.8" version="0.9.8za"/>
3321 <affects base="0.9.8" version="0.9.8zb"/>
3322 <affects base="1.0.0" version="1.0.0"/>
3323 <affects base="1.0.0" version="1.0.0a"/>
3324 <affects base="1.0.0" version="1.0.0b"/>
3325 <affects base="1.0.0" version="1.0.0c"/>
3326 <affects base="1.0.0" version="1.0.0d"/>
3327 <affects base="1.0.0" version="1.0.0e"/>
3328 <affects base="1.0.0" version="1.0.0f"/>
3329 <affects base="1.0.0" version="1.0.0g"/>
3330 <affects base="1.0.0" version="1.0.0i"/>
3331 <affects base="1.0.0" version="1.0.0j"/>
3332 <affects base="1.0.0" version="1.0.0k"/>
3333 <affects base="1.0.0" version="1.0.0l"/>
3334 <affects base="1.0.0" version="1.0.0m"/>
3335 <affects base="1.0.0" version="1.0.0n"/>
3336 <affects base="1.0.1" version="1.0.1"/>
3337 <affects base="1.0.1" version="1.0.1a"/>
3338 <affects base="1.0.1" version="1.0.1b"/>
3339 <affects base="1.0.1" version="1.0.1c"/>
3340 <affects base="1.0.1" version="1.0.1d"/>
3341 <affects base="1.0.1" version="1.0.1e"/>
3342 <affects base="1.0.1" version="1.0.1f"/>
3343 <affects base="1.0.1" version="1.0.1g"/>
3344 <affects base="1.0.1" version="1.0.1h"/>
3345 <affects base="1.0.1" version="1.0.1i"/>
3346 <fixed base="1.0.1" version="1.0.1j" date="20140806"/>
3347 <fixed base="1.0.0" version="1.0.0o" date="20140806"/>
3348 <fixed base="0.9.8" version="0.9.8zc" date="20140806"/>
3350 When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
3351 integrity of that ticket is first verified. In the event of a session
3352 ticket integrity check failing, OpenSSL will fail to free memory
3353 causing a memory leak. By sending a large number of invalid session
3354 tickets an attacker could exploit this issue in a Denial Of Service
3357 <advisory url="/news/secadv/20141015.txt"/>
3359 <issue public="20141015">
3360 <cve name=""/> <!-- this is deliberate -->
3361 <affects base="0.9.8" version="0.9.8"/>
3362 <affects base="0.9.8" version="0.9.8a"/>
3363 <affects base="0.9.8" version="0.9.8b"/>
3364 <affects base="0.9.8" version="0.9.8c"/>
3365 <affects base="0.9.8" version="0.9.8d"/>
3366 <affects base="0.9.8" version="0.9.8e"/>
3367 <affects base="0.9.8" version="0.9.8f"/>
3368 <affects base="0.9.8" version="0.9.8g"/>
3369 <affects base="0.9.8" version="0.9.8h"/>
3370 <affects base="0.9.8" version="0.9.8i"/>
3371 <affects base="0.9.8" version="0.9.8j"/>
3372 <affects base="0.9.8" version="0.9.8k"/>
3373 <affects base="0.9.8" version="0.9.8l"/>
3374 <affects base="0.9.8" version="0.9.8m"/>
3375 <affects base="0.9.8" version="0.9.8n"/>
3376 <affects base="0.9.8" version="0.9.8o"/>
3377 <affects base="0.9.8" version="0.9.8p"/>
3378 <affects base="0.9.8" version="0.9.8q"/>
3379 <affects base="0.9.8" version="0.9.8r"/>
3380 <affects base="0.9.8" version="0.9.8s"/>
3381 <affects base="0.9.8" version="0.9.8t"/>
3382 <affects base="0.9.8" version="0.9.8u"/>
3383 <affects base="0.9.8" version="0.9.8v"/>
3384 <affects base="0.9.8" version="0.9.8w"/>
3385 <affects base="0.9.8" version="0.9.8x"/>
3386 <affects base="0.9.8" version="0.9.8y"/>
3387 <affects base="0.9.8" version="0.9.8za"/>
3388 <affects base="0.9.8" version="0.9.8zb"/>
3389 <affects base="1.0.0" version="1.0.0"/>
3390 <affects base="1.0.0" version="1.0.0a"/>
3391 <affects base="1.0.0" version="1.0.0b"/>
3392 <affects base="1.0.0" version="1.0.0c"/>
3393 <affects base="1.0.0" version="1.0.0d"/>
3394 <affects base="1.0.0" version="1.0.0e"/>
3395 <affects base="1.0.0" version="1.0.0f"/>
3396 <affects base="1.0.0" version="1.0.0g"/>
3397 <affects base="1.0.0" version="1.0.0i"/>
3398 <affects base="1.0.0" version="1.0.0j"/>
3399 <affects base="1.0.0" version="1.0.0k"/>
3400 <affects base="1.0.0" version="1.0.0l"/>
3401 <affects base="1.0.0" version="1.0.0m"/>
3402 <affects base="1.0.0" version="1.0.0n"/>
3403 <affects base="1.0.1" version="1.0.1"/>
3404 <affects base="1.0.1" version="1.0.1a"/>
3405 <affects base="1.0.1" version="1.0.1b"/>
3406 <affects base="1.0.1" version="1.0.1c"/>
3407 <affects base="1.0.1" version="1.0.1d"/>
3408 <affects base="1.0.1" version="1.0.1e"/>
3409 <affects base="1.0.1" version="1.0.1f"/>
3410 <affects base="1.0.1" version="1.0.1g"/>
3411 <affects base="1.0.1" version="1.0.1h"/>
3412 <affects base="1.0.1" version="1.0.1i"/>
3413 <fixed base="1.0.1" version="1.0.1j" date="20140806"/>
3414 <fixed base="1.0.0" version="1.0.0o" date="20140806"/>
3415 <fixed base="0.9.8" version="0.9.8zc" date="20140806"/>
3417 OpenSSL has added support for TLS_FALLBACK_SCSV to allow applications
3418 to block the ability for a MITM attacker to force a protocol
3421 Some client applications (such as browsers) will reconnect using a
3422 downgraded protocol to work around interoperability bugs in older
3423 servers. This could be exploited by an active man-in-the-middle to
3424 downgrade connections to SSL 3.0 even if both sides of the connection
3425 support higher protocols. SSL 3.0 contains a number of weaknesses
3426 including POODLE (CVE-2014-3566).
3429 https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00 and
3430 https://www.openssl.org/~bodo/ssl-poodle.pdf
3434 <issue public="20141015">
3435 <cve name="2014-3568"/>
3436 <affects base="0.9.8" version="0.9.8"/>
3437 <affects base="0.9.8" version="0.9.8a"/>
3438 <affects base="0.9.8" version="0.9.8b"/>
3439 <affects base="0.9.8" version="0.9.8c"/>
3440 <affects base="0.9.8" version="0.9.8d"/>
3441 <affects base="0.9.8" version="0.9.8e"/>
3442 <affects base="0.9.8" version="0.9.8f"/>
3443 <affects base="0.9.8" version="0.9.8g"/>
3444 <affects base="0.9.8" version="0.9.8h"/>
3445 <affects base="0.9.8" version="0.9.8i"/>
3446 <affects base="0.9.8" version="0.9.8j"/>
3447 <affects base="0.9.8" version="0.9.8k"/>
3448 <affects base="0.9.8" version="0.9.8l"/>
3449 <affects base="0.9.8" version="0.9.8m"/>
3450 <affects base="0.9.8" version="0.9.8n"/>
3451 <affects base="0.9.8" version="0.9.8o"/>
3452 <affects base="0.9.8" version="0.9.8p"/>
3453 <affects base="0.9.8" version="0.9.8q"/>
3454 <affects base="0.9.8" version="0.9.8r"/>
3455 <affects base="0.9.8" version="0.9.8s"/>
3456 <affects base="0.9.8" version="0.9.8t"/>
3457 <affects base="0.9.8" version="0.9.8u"/>
3458 <affects base="0.9.8" version="0.9.8v"/>
3459 <affects base="0.9.8" version="0.9.8w"/>
3460 <affects base="0.9.8" version="0.9.8x"/>
3461 <affects base="0.9.8" version="0.9.8y"/>
3462 <affects base="0.9.8" version="0.9.8za"/>
3463 <affects base="0.9.8" version="0.9.8zb"/>
3464 <affects base="1.0.0" version="1.0.0"/>
3465 <affects base="1.0.0" version="1.0.0a"/>
3466 <affects base="1.0.0" version="1.0.0b"/>
3467 <affects base="1.0.0" version="1.0.0c"/>
3468 <affects base="1.0.0" version="1.0.0d"/>
3469 <affects base="1.0.0" version="1.0.0e"/>
3470 <affects base="1.0.0" version="1.0.0f"/>
3471 <affects base="1.0.0" version="1.0.0g"/>
3472 <affects base="1.0.0" version="1.0.0i"/>
3473 <affects base="1.0.0" version="1.0.0j"/>
3474 <affects base="1.0.0" version="1.0.0k"/>
3475 <affects base="1.0.0" version="1.0.0l"/>
3476 <affects base="1.0.0" version="1.0.0m"/>
3477 <affects base="1.0.0" version="1.0.0n"/>
3478 <affects base="1.0.1" version="1.0.1"/>
3479 <affects base="1.0.1" version="1.0.1a"/>
3480 <affects base="1.0.1" version="1.0.1b"/>
3481 <affects base="1.0.1" version="1.0.1c"/>
3482 <affects base="1.0.1" version="1.0.1d"/>
3483 <affects base="1.0.1" version="1.0.1e"/>
3484 <affects base="1.0.1" version="1.0.1f"/>
3485 <affects base="1.0.1" version="1.0.1g"/>
3486 <affects base="1.0.1" version="1.0.1h"/>
3487 <affects base="1.0.1" version="1.0.1i"/>
3488 <fixed base="1.0.1" version="1.0.1j" date="20140806"/>
3489 <fixed base="1.0.0" version="1.0.0o" date="20140806"/>
3490 <fixed base="0.9.8" version="0.9.8zc" date="20140806"/>
3493 When OpenSSL is configured with "no-ssl3" as a build option, servers
3494 could accept and complete a SSL 3.0 handshake, and clients could be
3495 configured to send them.
3497 <advisory url="/news/secadv/20141015.txt"/>
3498 <reported source="Akamai Technologies"/>
3500 <issue public="20140806">
3501 <cve name="2014-3508"/>
3502 <affects base="0.9.8" version="0.9.8"/>
3503 <affects base="0.9.8" version="0.9.8a"/>
3504 <affects base="0.9.8" version="0.9.8b"/>
3505 <affects base="0.9.8" version="0.9.8c"/>
3506 <affects base="0.9.8" version="0.9.8d"/>
3507 <affects base="0.9.8" version="0.9.8e"/>
3508 <affects base="0.9.8" version="0.9.8f"/>
3509 <affects base="0.9.8" version="0.9.8g"/>
3510 <affects base="0.9.8" version="0.9.8h"/>
3511 <affects base="0.9.8" version="0.9.8i"/>
3512 <affects base="0.9.8" version="0.9.8j"/>
3513 <affects base="0.9.8" version="0.9.8k"/>
3514 <affects base="0.9.8" version="0.9.8l"/>
3515 <affects base="0.9.8" version="0.9.8m"/>
3516 <affects base="0.9.8" version="0.9.8n"/>
3517 <affects base="0.9.8" version="0.9.8o"/>
3518 <affects base="0.9.8" version="0.9.8p"/>
3519 <affects base="0.9.8" version="0.9.8q"/>
3520 <affects base="0.9.8" version="0.9.8r"/>
3521 <affects base="0.9.8" version="0.9.8s"/>
3522 <affects base="0.9.8" version="0.9.8t"/>
3523 <affects base="0.9.8" version="0.9.8u"/>
3524 <affects base="0.9.8" version="0.9.8v"/>
3525 <affects base="0.9.8" version="0.9.8w"/>
3526 <affects base="0.9.8" version="0.9.8x"/>
3527 <affects base="0.9.8" version="0.9.8y"/>
3528 <affects base="0.9.8" version="0.9.8za"/>
3529 <affects base="1.0.0" version="1.0.0"/>
3530 <affects base="1.0.0" version="1.0.0a"/>
3531 <affects base="1.0.0" version="1.0.0b"/>
3532 <affects base="1.0.0" version="1.0.0c"/>
3533 <affects base="1.0.0" version="1.0.0d"/>
3534 <affects base="1.0.0" version="1.0.0e"/>
3535 <affects base="1.0.0" version="1.0.0f"/>
3536 <affects base="1.0.0" version="1.0.0g"/>
3537 <affects base="1.0.0" version="1.0.0i"/>
3538 <affects base="1.0.0" version="1.0.0j"/>
3539 <affects base="1.0.0" version="1.0.0k"/>
3540 <affects base="1.0.0" version="1.0.0l"/>
3541 <affects base="1.0.0" version="1.0.0m"/>
3542 <affects base="1.0.1" version="1.0.1"/>
3543 <affects base="1.0.1" version="1.0.1a"/>
3544 <affects base="1.0.1" version="1.0.1b"/>
3545 <affects base="1.0.1" version="1.0.1c"/>
3546 <affects base="1.0.1" version="1.0.1d"/>
3547 <affects base="1.0.1" version="1.0.1e"/>
3548 <affects base="1.0.1" version="1.0.1f"/>
3549 <affects base="1.0.1" version="1.0.1g"/>
3550 <affects base="1.0.1" version="1.0.1h"/>
3551 <fixed base="1.0.1" version="1.0.1i" date="20140806">
3553 <fixed base="1.0.0" version="1.0.0n" date="20140806">
3555 <fixed base="0.9.8" version="0.9.8zb" date="20140806">
3558 A flaw in OBJ_obj2txt may cause pretty printing functions such as
3559 X509_name_oneline, X509_name_print_ex, to leak some information from the
3560 stack. Applications may be affected if they echo pretty printing output to the
3561 attacker. OpenSSL SSL/TLS clients and servers themselves are not affected.
3563 <advisory url="/news/secadv/20140806.txt"/>
3564 <reported source="Ivan Fratric (Google)"/>
3567 <issue public="20140806">
3568 <cve name="2014-5139"/>
3570 A crash was found affecting SRP ciphersuites used in a Server Hello message.
3571 The issue affects OpenSSL clients and allows a malicious server to crash
3572 the client with a null pointer dereference (read) by specifying an SRP
3573 ciphersuite even though it was not properly negotiated with the client. This
3574 could lead to a Denial of Service.
3576 <affects base="1.0.1" version="1.0.1"/>
3577 <affects base="1.0.1" version="1.0.1a"/>
3578 <affects base="1.0.1" version="1.0.1b"/>
3579 <affects base="1.0.1" version="1.0.1c"/>
3580 <affects base="1.0.1" version="1.0.1d"/>
3581 <affects base="1.0.1" version="1.0.1e"/>
3582 <affects base="1.0.1" version="1.0.1f"/>
3583 <affects base="1.0.1" version="1.0.1g"/>
3584 <affects base="1.0.1" version="1.0.1h"/>
3585 <fixed base="1.0.1" version="1.0.1i" date="20140806">
3587 <advisory url="/news/secadv/20140806.txt"/>
3588 <reported source="Joonas Kuorilehto and Riku Hietamäki (Codenomicon)"/>
3591 <issue public="20140806">
3592 <cve name="2014-3509"/>
3593 <description>A race condition was found in ssl_parse_serverhello_tlsext.
3594 If a multithreaded client connects to a malicious server using a resumed session
3595 and the server sends an ec point format extension, it could write up to 255 bytes
3596 to freed memory.</description>
3597 <affects base="1.0.0" version="1.0.0"/>
3598 <affects base="1.0.0" version="1.0.0a"/>
3599 <affects base="1.0.0" version="1.0.0b"/>
3600 <affects base="1.0.0" version="1.0.0c"/>
3601 <affects base="1.0.0" version="1.0.0d"/>
3602 <affects base="1.0.0" version="1.0.0e"/>
3603 <affects base="1.0.0" version="1.0.0f"/>
3604 <affects base="1.0.0" version="1.0.0g"/>
3605 <affects base="1.0.0" version="1.0.0i"/>
3606 <affects base="1.0.0" version="1.0.0j"/>
3607 <affects base="1.0.0" version="1.0.0k"/>
3608 <affects base="1.0.0" version="1.0.0l"/>
3609 <affects base="1.0.0" version="1.0.0m"/>
3610 <affects base="1.0.1" version="1.0.1"/>
3611 <affects base="1.0.1" version="1.0.1a"/>
3612 <affects base="1.0.1" version="1.0.1b"/>
3613 <affects base="1.0.1" version="1.0.1c"/>
3614 <affects base="1.0.1" version="1.0.1d"/>
3615 <affects base="1.0.1" version="1.0.1e"/>
3616 <affects base="1.0.1" version="1.0.1f"/>
3617 <affects base="1.0.1" version="1.0.1g"/>
3618 <affects base="1.0.1" version="1.0.1h"/>
3619 <fixed base="1.0.1" version="1.0.1i" date="20140806">
3621 <fixed base="1.0.0" version="1.0.0n" date="20140806">
3623 <reported source="Gabor Tyukasz (LogMeIn Inc)"/>
3624 <advisory url="/news/secadv/20140806.txt"/>
3627 <issue public="20140806">
3628 <cve name="2014-3505"/>
3629 <affects base="0.9.8" version="0.9.8m"/>
3630 <affects base="0.9.8" version="0.9.8n"/>
3631 <affects base="0.9.8" version="0.9.8o"/>
3632 <affects base="0.9.8" version="0.9.8p"/>
3633 <affects base="0.9.8" version="0.9.8q"/>
3634 <affects base="0.9.8" version="0.9.8r"/>
3635 <affects base="0.9.8" version="0.9.8s"/>
3636 <affects base="0.9.8" version="0.9.8t"/>
3637 <affects base="0.9.8" version="0.9.8u"/>
3638 <affects base="0.9.8" version="0.9.8v"/>
3639 <affects base="0.9.8" version="0.9.8w"/>
3640 <affects base="0.9.8" version="0.9.8x"/>
3641 <affects base="0.9.8" version="0.9.8y"/>
3642 <affects base="0.9.8" version="0.9.8za"/>
3643 <affects base="1.0.0" version="1.0.0"/>
3644 <affects base="1.0.0" version="1.0.0a"/>
3645 <affects base="1.0.0" version="1.0.0b"/>
3646 <affects base="1.0.0" version="1.0.0c"/>
3647 <affects base="1.0.0" version="1.0.0d"/>
3648 <affects base="1.0.0" version="1.0.0e"/>
3649 <affects base="1.0.0" version="1.0.0f"/>
3650 <affects base="1.0.0" version="1.0.0g"/>
3651 <affects base="1.0.0" version="1.0.0i"/>
3652 <affects base="1.0.0" version="1.0.0j"/>
3653 <affects base="1.0.0" version="1.0.0k"/>
3654 <affects base="1.0.0" version="1.0.0l"/>
3655 <affects base="1.0.0" version="1.0.0m"/>
3656 <affects base="1.0.1" version="1.0.1"/>
3657 <affects base="1.0.1" version="1.0.1a"/>
3658 <affects base="1.0.1" version="1.0.1b"/>
3659 <affects base="1.0.1" version="1.0.1c"/>
3660 <affects base="1.0.1" version="1.0.1d"/>
3661 <affects base="1.0.1" version="1.0.1e"/>
3662 <affects base="1.0.1" version="1.0.1f"/>
3663 <affects base="1.0.1" version="1.0.1g"/>
3664 <affects base="1.0.1" version="1.0.1h"/>
3665 <fixed base="1.0.1" version="1.0.1i" date="20140806">
3667 <fixed base="1.0.0" version="1.0.0n" date="20140806">
3669 <fixed base="0.9.8" version="0.9.8zb" date="20140806">
3672 A Double Free was found when processing DTLS packets.
3673 An attacker can force an error condition which causes openssl to crash whilst
3674 processing DTLS packets due to memory being freed twice. This could lead to a
3675 Denial of Service attack.
3677 <reported source="Adam Langley and Wan-Teh Chang (Google)"/>
3678 <advisory url="/news/secadv/20140806.txt"/>
3681 <issue public="20140806">
3682 <cve name="2014-3506"/>
3683 <affects base="0.9.8" version="0.9.8"/>
3684 <affects base="0.9.8" version="0.9.8a"/>
3685 <affects base="0.9.8" version="0.9.8b"/>
3686 <affects base="0.9.8" version="0.9.8c"/>
3687 <affects base="0.9.8" version="0.9.8d"/>
3688 <affects base="0.9.8" version="0.9.8e"/>
3689 <affects base="0.9.8" version="0.9.8f"/>
3690 <affects base="0.9.8" version="0.9.8g"/>
3691 <affects base="0.9.8" version="0.9.8h"/>
3692 <affects base="0.9.8" version="0.9.8i"/>
3693 <affects base="0.9.8" version="0.9.8j"/>
3694 <affects base="0.9.8" version="0.9.8k"/>
3695 <affects base="0.9.8" version="0.9.8l"/>
3696 <affects base="0.9.8" version="0.9.8m"/>
3697 <affects base="0.9.8" version="0.9.8n"/>
3698 <affects base="0.9.8" version="0.9.8o"/>
3699 <affects base="0.9.8" version="0.9.8p"/>
3700 <affects base="0.9.8" version="0.9.8q"/>
3701 <affects base="0.9.8" version="0.9.8r"/>
3702 <affects base="0.9.8" version="0.9.8s"/>
3703 <affects base="0.9.8" version="0.9.8t"/>
3704 <affects base="0.9.8" version="0.9.8u"/>
3705 <affects base="0.9.8" version="0.9.8v"/>
3706 <affects base="0.9.8" version="0.9.8w"/>
3707 <affects base="0.9.8" version="0.9.8x"/>
3708 <affects base="0.9.8" version="0.9.8y"/>
3709 <affects base="0.9.8" version="0.9.8za"/>
3710 <affects base="1.0.0" version="1.0.0"/>
3711 <affects base="1.0.0" version="1.0.0a"/>
3712 <affects base="1.0.0" version="1.0.0b"/>
3713 <affects base="1.0.0" version="1.0.0c"/>
3714 <affects base="1.0.0" version="1.0.0d"/>
3715 <affects base="1.0.0" version="1.0.0e"/>
3716 <affects base="1.0.0" version="1.0.0f"/>
3717 <affects base="1.0.0" version="1.0.0g"/>
3718 <affects base="1.0.0" version="1.0.0i"/>
3719 <affects base="1.0.0" version="1.0.0j"/>
3720 <affects base="1.0.0" version="1.0.0k"/>
3721 <affects base="1.0.0" version="1.0.0l"/>
3722 <affects base="1.0.0" version="1.0.0m"/>
3723 <affects base="1.0.1" version="1.0.1"/>
3724 <affects base="1.0.1" version="1.0.1a"/>
3725 <affects base="1.0.1" version="1.0.1b"/>
3726 <affects base="1.0.1" version="1.0.1c"/>
3727 <affects base="1.0.1" version="1.0.1d"/>
3728 <affects base="1.0.1" version="1.0.1e"/>
3729 <affects base="1.0.1" version="1.0.1f"/>
3730 <affects base="1.0.1" version="1.0.1g"/>
3731 <affects base="1.0.1" version="1.0.1h"/>
3732 <fixed base="1.0.1" version="1.0.1i" date="20140806">
3734 <fixed base="1.0.0" version="1.0.0n" date="20140806">
3736 <fixed base="0.9.8" version="0.9.8zb" date="20140806">
3739 A DTLS flaw leading to memory exhaustion was found.
3740 An attacker can force openssl to consume large amounts of memory whilst
3741 processing DTLS handshake messages. This could lead to a Denial of
3744 <reported source="Adam Langley (Google)"/>
3745 <advisory url="/news/secadv/20140806.txt"/>
3748 <issue public="20140806">
3749 <cve name="2014-3507"/>
3750 <affects base="0.9.8" version="0.9.8o"/>
3751 <affects base="0.9.8" version="0.9.8p"/>
3752 <affects base="0.9.8" version="0.9.8q"/>
3753 <affects base="0.9.8" version="0.9.8r"/>
3754 <affects base="0.9.8" version="0.9.8s"/>
3755 <affects base="0.9.8" version="0.9.8t"/>
3756 <affects base="0.9.8" version="0.9.8u"/>
3757 <affects base="0.9.8" version="0.9.8v"/>
3758 <affects base="0.9.8" version="0.9.8w"/>
3759 <affects base="0.9.8" version="0.9.8x"/>
3760 <affects base="0.9.8" version="0.9.8y"/>
3761 <affects base="0.9.8" version="0.9.8za"/>
3762 <affects base="1.0.0" version="1.0.0a"/>
3763 <affects base="1.0.0" version="1.0.0b"/>
3764 <affects base="1.0.0" version="1.0.0c"/>
3765 <affects base="1.0.0" version="1.0.0d"/>
3766 <affects base="1.0.0" version="1.0.0e"/>
3767 <affects base="1.0.0" version="1.0.0f"/>
3768 <affects base="1.0.0" version="1.0.0g"/>
3769 <affects base="1.0.0" version="1.0.0i"/>
3770 <affects base="1.0.0" version="1.0.0j"/>
3771 <affects base="1.0.0" version="1.0.0k"/>
3772 <affects base="1.0.0" version="1.0.0l"/>
3773 <affects base="1.0.0" version="1.0.0m"/>
3774 <affects base="1.0.1" version="1.0.1"/>
3775 <affects base="1.0.1" version="1.0.1a"/>
3776 <affects base="1.0.1" version="1.0.1b"/>
3777 <affects base="1.0.1" version="1.0.1c"/>
3778 <affects base="1.0.1" version="1.0.1d"/>
3779 <affects base="1.0.1" version="1.0.1e"/>
3780 <affects base="1.0.1" version="1.0.1f"/>
3781 <affects base="1.0.1" version="1.0.1g"/>
3782 <affects base="1.0.1" version="1.0.1h"/>
3783 <fixed base="1.0.1" version="1.0.1i" date="20140806">
3785 <fixed base="1.0.0" version="1.0.0n" date="20140806">
3787 <fixed base="0.9.8" version="0.9.8zb" date="20140806">
3790 A DTLS memory leak from zero-length fragments was found.
3791 By sending carefully crafted DTLS packets an attacker could cause OpenSSL to
3792 leak memory. This could lead to a Denial of Service attack.
3794 <reported source="Adam Langley (Google)"/>
3795 <advisory url="/news/secadv/20140806.txt"/>
3798 <issue public="20140806">
3799 <cve name="2014-3510"/>
3800 <affects base="0.9.8" version="0.9.8"/>
3801 <affects base="0.9.8" version="0.9.8a"/>
3802 <affects base="0.9.8" version="0.9.8b"/>
3803 <affects base="0.9.8" version="0.9.8c"/>
3804 <affects base="0.9.8" version="0.9.8d"/>
3805 <affects base="0.9.8" version="0.9.8e"/>
3806 <affects base="0.9.8" version="0.9.8f"/>
3807 <affects base="0.9.8" version="0.9.8g"/>
3808 <affects base="0.9.8" version="0.9.8h"/>
3809 <affects base="0.9.8" version="0.9.8i"/>
3810 <affects base="0.9.8" version="0.9.8j"/>
3811 <affects base="0.9.8" version="0.9.8k"/>
3812 <affects base="0.9.8" version="0.9.8l"/>
3813 <affects base="0.9.8" version="0.9.8m"/>
3814 <affects base="0.9.8" version="0.9.8n"/>
3815 <affects base="0.9.8" version="0.9.8o"/>
3816 <affects base="0.9.8" version="0.9.8p"/>
3817 <affects base="0.9.8" version="0.9.8q"/>
3818 <affects base="0.9.8" version="0.9.8r"/>
3819 <affects base="0.9.8" version="0.9.8s"/>
3820 <affects base="0.9.8" version="0.9.8t"/>
3821 <affects base="0.9.8" version="0.9.8u"/>
3822 <affects base="0.9.8" version="0.9.8v"/>
3823 <affects base="0.9.8" version="0.9.8w"/>
3824 <affects base="0.9.8" version="0.9.8x"/>
3825 <affects base="0.9.8" version="0.9.8y"/>
3826 <affects base="0.9.8" version="0.9.8za"/>
3827 <affects base="1.0.0" version="1.0.0"/>
3828 <affects base="1.0.0" version="1.0.0a"/>
3829 <affects base="1.0.0" version="1.0.0b"/>
3830 <affects base="1.0.0" version="1.0.0c"/>
3831 <affects base="1.0.0" version="1.0.0d"/>
3832 <affects base="1.0.0" version="1.0.0e"/>
3833 <affects base="1.0.0" version="1.0.0f"/>
3834 <affects base="1.0.0" version="1.0.0g"/>
3835 <affects base="1.0.0" version="1.0.0i"/>
3836 <affects base="1.0.0" version="1.0.0j"/>
3837 <affects base="1.0.0" version="1.0.0k"/>
3838 <affects base="1.0.0" version="1.0.0l"/>
3839 <affects base="1.0.0" version="1.0.0m"/>
3840 <affects base="1.0.1" version="1.0.1"/>
3841 <affects base="1.0.1" version="1.0.1a"/>
3842 <affects base="1.0.1" version="1.0.1b"/>
3843 <affects base="1.0.1" version="1.0.1c"/>
3844 <affects base="1.0.1" version="1.0.1d"/>
3845 <affects base="1.0.1" version="1.0.1e"/>
3846 <affects base="1.0.1" version="1.0.1f"/>
3847 <affects base="1.0.1" version="1.0.1g"/>
3848 <affects base="1.0.1" version="1.0.1h"/>
3849 <fixed base="1.0.1" version="1.0.1i" date="20140806">
3851 <fixed base="1.0.0" version="1.0.0n" date="20140806">
3853 <fixed base="0.9.8" version="0.9.8zb" date="20140806">
3856 A flaw in handling DTLS anonymous EC(DH) ciphersuites was found.
3857 OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject to a
3858 denial of service attack. A malicious server can crash the client with a null
3859 pointer dereference (read) by specifying an anonymous (EC)DH ciphersuite and
3860 sending carefully crafted handshake messages.
3862 <reported source="Felix Gröbert (Google)"/>
3863 <advisory url="/news/secadv/20140806.txt"/>
3866 <issue public="20140806">
3867 <cve name="2014-3511"/>
3868 <affects base="1.0.1" version="1.0.1"/>
3869 <affects base="1.0.1" version="1.0.1a"/>
3870 <affects base="1.0.1" version="1.0.1b"/>
3871 <affects base="1.0.1" version="1.0.1c"/>
3872 <affects base="1.0.1" version="1.0.1d"/>
3873 <affects base="1.0.1" version="1.0.1e"/>
3874 <affects base="1.0.1" version="1.0.1f"/>
3875 <affects base="1.0.1" version="1.0.1g"/>
3876 <affects base="1.0.1" version="1.0.1h"/>
3877 <fixed base="1.0.1" version="1.0.1i" date="20140806">
3880 A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate
3881 TLS 1.0 instead of higher protocol versions when the ClientHello message is
3882 badly fragmented. This allows a man-in-the-middle attacker to force a
3883 downgrade to TLS 1.0 even if both the server and the client support a higher
3884 protocol version, by modifying the client's TLS records.
3886 <reported source="David Benjamin and Adam Langley (Google)"/>
3887 <advisory url="/news/secadv/20140806.txt"/>
3890 <issue public="20140806">
3891 <cve name="2014-3512"/>
3892 <affects base="1.0.1" version="1.0.1"/>
3893 <affects base="1.0.1" version="1.0.1a"/>
3894 <affects base="1.0.1" version="1.0.1b"/>
3895 <affects base="1.0.1" version="1.0.1c"/>
3896 <affects base="1.0.1" version="1.0.1d"/>
3897 <affects base="1.0.1" version="1.0.1e"/>
3898 <affects base="1.0.1" version="1.0.1f"/>
3899 <affects base="1.0.1" version="1.0.1g"/>
3900 <affects base="1.0.1" version="1.0.1h"/>
3901 <fixed base="1.0.1" version="1.0.1i" date="20140806">
3904 A SRP buffer overrun was found.
3905 A malicious client or server can send invalid SRP parameters and overrun
3906 an internal buffer. Only applications which are explicitly set up for SRP
3909 <reported source="Sean Devlin and Watson Ladd (Cryptography Services, NCC Group)"/>
3910 <advisory url="/news/secadv/20140806.txt"/>
3913 <issue public="20020730">
3914 <cve name="2002-0655"/>
3915 <affects base="0.9.6" version="0.9.6"/>
3916 <affects base="0.9.6" version="0.9.6a"/>
3917 <affects base="0.9.6" version="0.9.6b"/>
3918 <affects base="0.9.6" version="0.9.6c"/>
3919 <affects base="0.9.6" version="0.9.6d"/>
3920 <fixed base="0.9.6" version="0.9.6e" date="20020730"/>
3921 <advisory url="/news/secadv/20020730.txt"/>
3922 <reported source="OpenSSL Group (A.L. Digital)"/>
3924 Inproper handling of ASCII representations of integers on
3925 64 bit platforms allowed remote attackers to cause a denial of
3926 service or possibly execute arbitrary code.
3930 <issue public="20020730">
3931 <cve name="2002-0656"/>
3932 <affects base="0.9.6" version="0.9.6"/>
3933 <affects base="0.9.6" version="0.9.6a"/>
3934 <affects base="0.9.6" version="0.9.6b"/>
3935 <affects base="0.9.6" version="0.9.6c"/>
3936 <affects base="0.9.6" version="0.9.6d"/>
3937 <fixed base="0.9.6" version="0.9.6e" date="20020730"/>
3938 <advisory url="/news/secadv/20020730.txt"/>
3939 <reported source="OpenSSL Group (A.L. Digital)"/>
3941 A buffer overflow allowed remote attackers to execute
3942 arbitrary code by sending a large client master key in SSL2 or a
3943 large session ID in SSL3.
3947 <issue public="20020730">
3948 <cve name="2002-0657"/>
3949 <advisory url="/news/secadv/20020730.txt"/>
3950 <reported source="OpenSSL Group (A.L. Digital)"/>
3952 A buffer overflow when Kerberos is enabled allowed attackers
3953 to execute arbitrary code by sending a long master key. Note that this
3954 flaw did not affect any released version of 0.9.6 or 0.9.7
3958 <issue public="20020730">
3959 <cve name="2002-0659"/>
3960 <affects base="0.9.6" version="0.9.6a"/>
3961 <affects base="0.9.6" version="0.9.6b"/>
3962 <affects base="0.9.6" version="0.9.6c"/>
3963 <affects base="0.9.6" version="0.9.6d"/>
3964 <fixed base="0.9.6" version="0.9.6e" date="20020730"/>
3966 A flaw in the ASN1 library allowed remote attackers to cause a denial of
3967 service by sending invalid encodings.
3972 <cve name="2002-1568"/>
3973 <affects base="0.9.6" version="0.9.6e"/>
3974 <fixed base="0.9.6" version="0.9.6f" date="20020808"/>
3976 The use of assertions when detecting buffer overflow attacks
3977 allowed remote attackers to cause a denial of service (crash) by
3978 sending certain messages to cause
3979 OpenSSL to abort from a failed assertion, as demonstrated using SSLv2
3980 CLIENT_MASTER_KEY messages, which were not properly handled in
3985 <issue public="20030219">
3986 <cve name="2003-0078"/>
3987 <affects base="0.9.7" version="0.9.7"/>
3988 <affects base="0.9.6" version="0.9.6"/>
3989 <affects base="0.9.6" version="0.9.6a"/>
3990 <affects base="0.9.6" version="0.9.6b"/>
3991 <affects base="0.9.6" version="0.9.6c"/>
3992 <affects base="0.9.6" version="0.9.6d"/>
3993 <affects base="0.9.6" version="0.9.6e"/>
3994 <affects base="0.9.6" version="0.9.6f"/>
3995 <affects base="0.9.6" version="0.9.6g"/>
3996 <affects base="0.9.6" version="0.9.6h"/>
3997 <fixed base="0.9.7" version="0.9.7a" date="20030219"/>
3998 <fixed base="0.9.6" version="0.9.6i" date="20030219"/>
3999 <advisory url="/news/secadv/20030219.txt"/>
4001 sl3_get_record in s3_pkt.c did not perform a MAC computation if an
4002 incorrect block cipher padding was used, causing an information leak
4003 (timing discrepancy) that may make it easier to launch cryptographic
4004 attacks that rely on distinguishing between padding and MAC
4005 verification errors, possibly leading to extraction of the original
4006 plaintext, aka the "Vaudenay timing attack."
4010 <issue public="20030319">
4011 <cve name="2003-0131"/>
4012 <affects base="0.9.6" version="0.9.6"/>
4013 <affects base="0.9.6" version="0.9.6a"/>
4014 <affects base="0.9.6" version="0.9.6b"/>
4015 <affects base="0.9.6" version="0.9.6c"/>
4016 <affects base="0.9.6" version="0.9.6d"/>
4017 <affects base="0.9.6" version="0.9.6e"/>
4018 <affects base="0.9.6" version="0.9.6f"/>
4019 <affects base="0.9.6" version="0.9.6g"/>
4020 <affects base="0.9.6" version="0.9.6h"/>
4021 <affects base="0.9.6" version="0.9.6i"/>
4022 <affects base="0.9.7" version="0.9.7"/>
4023 <affects base="0.9.7" version="0.9.7a"/>
4024 <fixed base="0.9.6" version="0.9.6j" date="20030410"/>
4025 <fixed base="0.9.7" version="0.9.7b" date="20030410"/>
4026 <advisory url="/news/secadv/20030319.txt"/>
4028 The SSL and TLS components allowed remote attackers to perform an
4029 unauthorized RSA private key operation via a modified Bleichenbacher
4030 attack that uses a large number of SSL or TLS connections using PKCS #1
4031 v1.5 padding that caused OpenSSL to leak information regarding the
4032 relationship between ciphertext and the associated plaintext, aka the
4033 "Klima-Pokorny-Rosa attack"
4037 <issue public="20030314">
4038 <cve name="2003-0147"/>
4039 <affects base="0.9.6" version="0.9.6"/>
4040 <affects base="0.9.6" version="0.9.6a"/>
4041 <affects base="0.9.6" version="0.9.6b"/>
4042 <affects base="0.9.6" version="0.9.6c"/>
4043 <affects base="0.9.6" version="0.9.6d"/>
4044 <affects base="0.9.6" version="0.9.6e"/>
4045 <affects base="0.9.6" version="0.9.6f"/>
4046 <affects base="0.9.6" version="0.9.6g"/>
4047 <affects base="0.9.6" version="0.9.6h"/>
4048 <affects base="0.9.6" version="0.9.6i"/>
4049 <affects base="0.9.7" version="0.9.7"/>
4050 <affects base="0.9.7" version="0.9.7a"/>
4051 <advisory url="/news/secadv/20030317.txt"/>
4052 <fixed base="0.9.7" version="0.9.7b" date="20030410"/>
4053 <fixed base="0.9.6" version="0.9.6j" date="20030410"/>
4055 RSA blinding was not enabled by default, which could allow local and
4056 remote attackers to obtain a server's private key by determining
4057 factors using timing differences on (1) the number of extra reductions
4058 during Montgomery reduction, and (2) the use of different integer
4059 multiplication algorithms ("Karatsuba" and normal).
4063 <issue public="20030930">
4064 <cve name="2003-0543"/>
4065 <affects base="0.9.6" version="0.9.6"/>
4066 <affects base="0.9.6" version="0.9.6a"/>
4067 <affects base="0.9.6" version="0.9.6b"/>
4068 <affects base="0.9.6" version="0.9.6c"/>
4069 <affects base="0.9.6" version="0.9.6d"/>
4070 <affects base="0.9.6" version="0.9.6e"/>
4071 <affects base="0.9.6" version="0.9.6f"/>
4072 <affects base="0.9.6" version="0.9.6g"/>
4073 <affects base="0.9.6" version="0.9.6h"/>
4074 <affects base="0.9.6" version="0.9.6i"/>
4075 <affects base="0.9.6" version="0.9.6j"/>
4076 <affects base="0.9.7" version="0.9.7"/>
4077 <affects base="0.9.7" version="0.9.7a"/>
4078 <affects base="0.9.7" version="0.9.7b"/>
4079 <fixed base="0.9.7" version="0.9.7c" date="20030930"/>
4080 <fixed base="0.9.6" version="0.9.6k" date="20030930"/>
4081 <advisory url="/news/secadv/20030930.txt"/>
4082 <reported source="NISCC"/>
4084 An integer overflow could allow remote attackers to cause a denial of
4085 service (crash) via an SSL client certificate with certain ASN.1 tag
4090 <issue public="20030930">
4091 <cve name="2003-0544"/>
4092 <affects base="0.9.7" version="0.9.7"/>
4093 <affects base="0.9.7" version="0.9.7a"/>
4094 <affects base="0.9.7" version="0.9.7b"/>
4095 <affects base="0.9.6" version="0.9.6"/>
4096 <affects base="0.9.6" version="0.9.6a"/>
4097 <affects base="0.9.6" version="0.9.6b"/>
4098 <affects base="0.9.6" version="0.9.6c"/>
4099 <affects base="0.9.6" version="0.9.6d"/>
4100 <affects base="0.9.6" version="0.9.6e"/>
4101 <affects base="0.9.6" version="0.9.6f"/>
4102 <affects base="0.9.6" version="0.9.6g"/>
4103 <affects base="0.9.6" version="0.9.6h"/>
4104 <affects base="0.9.6" version="0.9.6i"/>
4105 <affects base="0.9.6" version="0.9.6j"/>
4106 <fixed base="0.9.6" version="0.9.6k" date="20030930"/>
4107 <fixed base="0.9.7" version="0.9.7c" date="20030930"/>
4108 <advisory url="/news/secadv/20030930.txt"/>
4109 <reported source="NISCC"/>
4111 Incorrect tracking of the number of characters in certain
4112 ASN.1 inputs could allow remote attackers to cause a denial of
4113 service (crash) by sending an SSL client certificate that causes OpenSSL to
4114 read past the end of a buffer when the long form is used.
4118 <issue public="20030930">
4119 <cve name="2003-0545"/>
4120 <affects base="0.9.7" version="0.9.7"/>
4121 <affects base="0.9.7" version="0.9.7a"/>
4122 <affects base="0.9.7" version="0.9.7b"/>
4123 <fixed base="0.9.7" version="0.9.7c" date="20030930"/>
4124 <advisory url="/news/secadv/20030930.txt"/>
4125 <reported source="NISCC"/>
4127 Certain ASN.1 encodings that were rejected as invalid by the parser could
4128 trigger a bug in the deallocation of the corresponding data structure,
4129 corrupting the stack, leading to a crash.
4133 <issue public="20031104">
4134 <cve name="2003-0851"/>
4135 <affects base="0.9.6" version="0.9.6k"/>
4136 <fixed base="0.9.6" version="0.9.6l" date="20031104"/>
4137 <advisory url="/news/secadv/20031104.txt"/>
4138 <reported source="Novell"/>
4140 A flaw in OpenSSL 0.9.6k (only) would cause certain ASN.1 sequences to
4141 trigger a large recursion. On platforms such as Windows this large
4142 recursion cannot be handled correctly and so the bug causes OpenSSL to
4143 crash. A remote attacker could exploit this flaw if they can send
4144 arbitrary ASN.1 sequences which would cause OpenSSL to crash. This
4145 could be performed for example by sending a client certificate to a
4146 SSL/TLS enabled server which is configured to accept them.
4150 <issue public="20040317">
4151 <cve name="2004-0079"/>
4152 <affects base="0.9.6" version="0.9.6c"/>
4153 <affects base="0.9.6" version="0.9.6d"/>
4154 <affects base="0.9.6" version="0.9.6e"/>
4155 <affects base="0.9.6" version="0.9.6f"/>
4156 <affects base="0.9.6" version="0.9.6g"/>
4157 <affects base="0.9.6" version="0.9.6h"/>
4158 <affects base="0.9.6" version="0.9.6i"/>
4159 <affects base="0.9.6" version="0.9.6j"/>
4160 <affects base="0.9.6" version="0.9.6k"/>
4161 <affects base="0.9.6" version="0.9.6l"/>
4162 <affects base="0.9.7" version="0.9.7"/>
4163 <affects base="0.9.7" version="0.9.7a"/>
4164 <affects base="0.9.7" version="0.9.7b"/>
4165 <affects base="0.9.7" version="0.9.7c"/>
4166 <fixed base="0.9.7" version="0.9.7d" date="20040317"/>
4167 <fixed base="0.9.6" version="0.9.6m" date="20040317"/>
4168 <advisory url="/news/secadv/20040317.txt"/>
4169 <reported source="OpenSSL group"/>
4171 The Codenomicon TLS Test Tool uncovered a null-pointer assignment in the
4172 do_change_cipher_spec() function. A remote attacker could perform a
4173 carefully crafted SSL/TLS handshake against a server that used the
4174 OpenSSL library in such a way as to cause a crash.
4178 <issue public="20040317">
4179 <cve name="2004-0081"/>
4180 <affects base="0.9.6" version="0.9.6"/>
4181 <affects base="0.9.6" version="0.9.6a"/>
4182 <affects base="0.9.6" version="0.9.6b"/>
4183 <affects base="0.9.6" version="0.9.6c"/>
4184 <advisory url="/news/secadv/20030317.txt"/>
4185 <reported source="OpenSSL group"/>
4187 The Codenomicon TLS Test Tool found that some unknown message types
4188 were handled incorrectly, allowing a remote attacker to cause a denial
4189 of service (infinite loop).
4193 <issue public="20040317">
4194 <cve name="2004-0112"/>
4195 <affects base="0.9.7" version="0.9.7a"/>
4196 <affects base="0.9.7" version="0.9.7b"/>
4197 <affects base="0.9.7" version="0.9.7c"/>
4198 <fixed base="0.9.7" version="0.9.7d" date="20040317"/>
4199 <reported source="OpenSSL group (Stephen Henson)"/>
4200 <advisory url="/news/secadv/20040317.txt"/>
4202 A flaw in SSL/TLS handshaking code when using Kerberos ciphersuites.
4203 A remote attacker could perform a carefully crafted SSL/TLS handshake
4204 against a server configured to use Kerberos ciphersuites in such a way
4205 as to cause OpenSSL to crash. Most applications have no ability to
4206 use Kerberos ciphersuites and will therefore be unaffected.
4210 <issue public="20040930">
4211 <cve name="2004-0975"/>
4212 <affects base="0.9.7" version="0.9.7"/>
4213 <affects base="0.9.7" version="0.9.7a"/>
4214 <affects base="0.9.7" version="0.9.7b"/>
4215 <affects base="0.9.7" version="0.9.7c"/>
4216 <affects base="0.9.7" version="0.9.7d"/>
4217 <affects base="0.9.7" version="0.9.7e"/>
4218 <affects base="0.9.6" version="0.9.6"/>
4219 <affects base="0.9.6" version="0.9.6a"/>
4220 <affects base="0.9.6" version="0.9.6b"/>
4221 <affects base="0.9.6" version="0.9.6c"/>
4222 <affects base="0.9.6" version="0.9.6d"/>
4223 <affects base="0.9.6" version="0.9.6e"/>
4224 <affects base="0.9.6" version="0.9.6f"/>
4225 <affects base="0.9.6" version="0.9.6g"/>
4226 <affects base="0.9.6" version="0.9.6h"/>
4227 <affects base="0.9.6" version="0.9.6i"/>
4228 <affects base="0.9.6" version="0.9.6j"/>
4229 <affects base="0.9.6" version="0.9.6k"/>
4230 <affects base="0.9.6" version="0.9.6l"/>
4231 <affects base="0.9.6" version="0.9.6m"/>
4232 <fixed base="0.9.7" version="0.9.7f" date="20050322"/>
4233 <fixed base="0.9.6" version="0.9.6-cvs" date="20041114"/>
4234 <!-- der_chop was removed 20041114 -->
4237 The der_chop script created temporary files insecurely which could
4238 allow local users to overwrite files via a symlink attack on temporary
4239 files. Note that it is quite unlikely that a user would be using the
4240 redundant der_chop script, and this script was removed from the OpenSSL
4245 <issue public="20051011">
4246 <cve name="2005-2969"/>
4247 <affects base="0.9.7" version="0.9.7"/>
4248 <affects base="0.9.7" version="0.9.7a"/>
4249 <affects base="0.9.7" version="0.9.7b"/>
4250 <affects base="0.9.7" version="0.9.7c"/>
4251 <affects base="0.9.7" version="0.9.7d"/>
4252 <affects base="0.9.7" version="0.9.7e"/>
4253 <affects base="0.9.7" version="0.9.7f"/>
4254 <affects base="0.9.7" version="0.9.7g"/>
4255 <affects base="0.9.8" version="0.9.8"/>
4256 <affects base="0.9.6" version="0.9.6"/>
4257 <affects base="0.9.6" version="0.9.6a"/>
4258 <affects base="0.9.6" version="0.9.6b"/>
4259 <affects base="0.9.6" version="0.9.6c"/>
4260 <affects base="0.9.6" version="0.9.6d"/>
4261 <affects base="0.9.6" version="0.9.6e"/>
4262 <affects base="0.9.6" version="0.9.6f"/>
4263 <affects base="0.9.6" version="0.9.6g"/>
4264 <affects base="0.9.6" version="0.9.6h"/>
4265 <affects base="0.9.6" version="0.9.6i"/>
4266 <affects base="0.9.6" version="0.9.6j"/>
4267 <affects base="0.9.6" version="0.9.6k"/>
4268 <affects base="0.9.6" version="0.9.6l"/>
4269 <affects base="0.9.6" version="0.9.6m"/>
4270 <fixed base="0.9.7" version="0.9.7h" date="20051011"/>
4271 <fixed base="0.9.8" version="0.9.8a" date="20051011"/>
4273 <advisory url="/news/secadv/20051011.txt"/>
4274 <reported source="researcher"/>
4277 A deprecated option, SSL_OP_MISE_SSLV2_RSA_PADDING, could allow an
4278 attacker acting as a "man in the middle" to force a connection to
4279 downgrade to SSL 2.0 even if both parties support better protocols.
4283 <issue public="20060905">
4284 <cve name="2006-4339"/>
4285 <affects base="0.9.7" version="0.9.7"/>
4286 <affects base="0.9.7" version="0.9.7a"/>
4287 <affects base="0.9.7" version="0.9.7b"/>
4288 <affects base="0.9.7" version="0.9.7c"/>
4289 <affects base="0.9.7" version="0.9.7d"/>
4290 <affects base="0.9.7" version="0.9.7e"/>
4291 <affects base="0.9.7" version="0.9.7f"/>
4292 <affects base="0.9.7" version="0.9.7g"/>
4293 <affects base="0.9.7" version="0.9.7h"/>
4294 <affects base="0.9.7" version="0.9.7i"/>
4295 <affects base="0.9.7" version="0.9.7j"/>
4296 <affects base="0.9.8" version="0.9.8"/>
4297 <affects base="0.9.8" version="0.9.8a"/>
4298 <affects base="0.9.8" version="0.9.8b"/>
4299 <affects base="0.9.6" version="0.9.6"/>
4300 <affects base="0.9.6" version="0.9.6a"/>
4301 <affects base="0.9.6" version="0.9.6b"/>
4302 <affects base="0.9.6" version="0.9.6c"/>
4303 <affects base="0.9.6" version="0.9.6d"/>
4304 <affects base="0.9.6" version="0.9.6e"/>
4305 <affects base="0.9.6" version="0.9.6f"/>
4306 <affects base="0.9.6" version="0.9.6g"/>
4307 <affects base="0.9.6" version="0.9.6h"/>
4308 <affects base="0.9.6" version="0.9.6i"/>
4309 <affects base="0.9.6" version="0.9.6j"/>
4310 <affects base="0.9.6" version="0.9.6k"/>
4311 <affects base="0.9.6" version="0.9.6l"/>
4312 <affects base="0.9.6" version="0.9.6m"/>
4313 <fixed base="0.9.7" version="0.9.7k" date="20060905"/>
4314 <fixed base="0.9.8" version="0.9.8c" date="20060905"/>
4316 <advisory url="/news/secadv/20060905.txt"/>
4317 <reported source="openssl"/>
4320 Daniel Bleichenbacher discovered an attack on PKCS #1 v1.5
4321 signatures where under certain circumstances it may be possible
4322 for an attacker to forge a PKCS #1 v1.5 signature that would be incorrectly
4323 verified by OpenSSL.
4327 <issue public="20060928">
4328 <cve name="2006-2937"/>
4329 <affects base="0.9.7" version="0.9.7"/>
4330 <affects base="0.9.7" version="0.9.7a"/>
4331 <affects base="0.9.7" version="0.9.7b"/>
4332 <affects base="0.9.7" version="0.9.7c"/>
4333 <affects base="0.9.7" version="0.9.7d"/>
4334 <affects base="0.9.7" version="0.9.7e"/>
4335 <affects base="0.9.7" version="0.9.7f"/>
4336 <affects base="0.9.7" version="0.9.7g"/>
4337 <affects base="0.9.7" version="0.9.7h"/>
4338 <affects base="0.9.7" version="0.9.7i"/>
4339 <affects base="0.9.7" version="0.9.7j"/>
4340 <affects base="0.9.7" version="0.9.7k"/>
4341 <affects base="0.9.8" version="0.9.8"/>
4342 <affects base="0.9.8" version="0.9.8a"/>
4343 <affects base="0.9.8" version="0.9.8b"/>
4344 <affects base="0.9.8" version="0.9.8c"/>
4345 <fixed base="0.9.7" version="0.9.7l" date="20060928"/>
4346 <fixed base="0.9.8" version="0.9.8d" date="20060928"/>
4348 <advisory url="/news/secadv/20060928.txt"/>
4349 <reported source="openssl"/>
4352 During the parsing of certain invalid ASN.1 structures an error
4353 condition is mishandled. This can result in an infinite loop which
4354 consumes system memory
4358 <issue public="20060928">
4359 <cve name="2006-2940"/>
4360 <affects base="0.9.7" version="0.9.7"/>
4361 <affects base="0.9.7" version="0.9.7a"/>
4362 <affects base="0.9.7" version="0.9.7b"/>
4363 <affects base="0.9.7" version="0.9.7c"/>
4364 <affects base="0.9.7" version="0.9.7d"/>
4365 <affects base="0.9.7" version="0.9.7e"/>
4366 <affects base="0.9.7" version="0.9.7f"/>
4367 <affects base="0.9.7" version="0.9.7g"/>
4368 <affects base="0.9.7" version="0.9.7h"/>
4369 <affects base="0.9.7" version="0.9.7i"/>
4370 <affects base="0.9.7" version="0.9.7j"/>
4371 <affects base="0.9.7" version="0.9.7k"/>
4372 <affects base="0.9.8" version="0.9.8"/>
4373 <affects base="0.9.8" version="0.9.8a"/>
4374 <affects base="0.9.8" version="0.9.8b"/>
4375 <affects base="0.9.8" version="0.9.8c"/>
4376 <affects base="0.9.6" version="0.9.6"/>
4377 <affects base="0.9.6" version="0.9.6a"/>
4378 <affects base="0.9.6" version="0.9.6b"/>
4379 <affects base="0.9.6" version="0.9.6c"/>
4380 <affects base="0.9.6" version="0.9.6d"/>
4381 <affects base="0.9.6" version="0.9.6e"/>
4382 <affects base="0.9.6" version="0.9.6f"/>
4383 <affects base="0.9.6" version="0.9.6g"/>
4384 <affects base="0.9.6" version="0.9.6h"/>
4385 <affects base="0.9.6" version="0.9.6i"/>
4386 <affects base="0.9.6" version="0.9.6j"/>
4387 <affects base="0.9.6" version="0.9.6k"/>
4388 <affects base="0.9.6" version="0.9.6l"/>
4389 <affects base="0.9.6" version="0.9.6m"/>
4390 <fixed base="0.9.7" version="0.9.7l" date="20060928"/>
4391 <fixed base="0.9.8" version="0.9.8d" date="20060928"/>
4393 <advisory url="/news/secadv/20060928.txt"/>
4394 <reported source="openssl"/>
4397 Certain types of public key can take disproportionate amounts of
4398 time to process. This could be used by an attacker in a denial of
4403 <issue public="20060928">
4404 <cve name="2006-3738"/>
4405 <affects base="0.9.7" version="0.9.7"/>
4406 <affects base="0.9.7" version="0.9.7a"/>
4407 <affects base="0.9.7" version="0.9.7b"/>
4408 <affects base="0.9.7" version="0.9.7c"/>
4409 <affects base="0.9.7" version="0.9.7d"/>
4410 <affects base="0.9.7" version="0.9.7e"/>
4411 <affects base="0.9.7" version="0.9.7f"/>
4412 <affects base="0.9.7" version="0.9.7g"/>
4413 <affects base="0.9.7" version="0.9.7h"/>
4414 <affects base="0.9.7" version="0.9.7i"/>
4415 <affects base="0.9.7" version="0.9.7j"/>
4416 <affects base="0.9.7" version="0.9.7k"/>
4417 <affects base="0.9.8" version="0.9.8"/>
4418 <affects base="0.9.8" version="0.9.8a"/>
4419 <affects base="0.9.8" version="0.9.8b"/>
4420 <affects base="0.9.8" version="0.9.8c"/>
4421 <affects base="0.9.6" version="0.9.6"/>
4422 <affects base="0.9.6" version="0.9.6a"/>
4423 <affects base="0.9.6" version="0.9.6b"/>
4424 <affects base="0.9.6" version="0.9.6c"/>
4425 <affects base="0.9.6" version="0.9.6d"/>
4426 <affects base="0.9.6" version="0.9.6e"/>
4427 <affects base="0.9.6" version="0.9.6f"/>
4428 <affects base="0.9.6" version="0.9.6g"/>
4429 <affects base="0.9.6" version="0.9.6h"/>
4430 <affects base="0.9.6" version="0.9.6i"/>
4431 <affects base="0.9.6" version="0.9.6j"/>
4432 <affects base="0.9.6" version="0.9.6k"/>
4433 <affects base="0.9.6" version="0.9.6l"/>
4434 <affects base="0.9.6" version="0.9.6m"/>
4435 <fixed base="0.9.7" version="0.9.7l" date="20060928"/>
4436 <fixed base="0.9.8" version="0.9.8d" date="20060928"/>
4438 <advisory url="/news/secadv/20060928.txt"/>
4439 <reported source="openssl"/>
4442 A buffer overflow was discovered in the SSL_get_shared_ciphers()
4443 utility function. An attacker could send a list of ciphers to an
4444 application that uses this function and overrun a buffer.
4448 <issue public="20060928">
4449 <cve name="2006-4343"/>
4450 <affects base="0.9.7" version="0.9.7"/>
4451 <affects base="0.9.7" version="0.9.7a"/>
4452 <affects base="0.9.7" version="0.9.7b"/>
4453 <affects base="0.9.7" version="0.9.7c"/>
4454 <affects base="0.9.7" version="0.9.7d"/>
4455 <affects base="0.9.7" version="0.9.7e"/>
4456 <affects base="0.9.7" version="0.9.7f"/>
4457 <affects base="0.9.7" version="0.9.7g"/>
4458 <affects base="0.9.7" version="0.9.7h"/>
4459 <affects base="0.9.7" version="0.9.7i"/>
4460 <affects base="0.9.7" version="0.9.7j"/>
4461 <affects base="0.9.7" version="0.9.7k"/>
4462 <affects base="0.9.8" version="0.9.8"/>
4463 <affects base="0.9.8" version="0.9.8a"/>
4464 <affects base="0.9.8" version="0.9.8b"/>
4465 <affects base="0.9.8" version="0.9.8c"/>
4466 <affects base="0.9.6" version="0.9.6"/>
4467 <affects base="0.9.6" version="0.9.6a"/>
4468 <affects base="0.9.6" version="0.9.6b"/>
4469 <affects base="0.9.6" version="0.9.6c"/>
4470 <affects base="0.9.6" version="0.9.6d"/>
4471 <affects base="0.9.6" version="0.9.6e"/>
4472 <affects base="0.9.6" version="0.9.6f"/>
4473 <affects base="0.9.6" version="0.9.6g"/>
4474 <affects base="0.9.6" version="0.9.6h"/>
4475 <affects base="0.9.6" version="0.9.6i"/>
4476 <affects base="0.9.6" version="0.9.6j"/>
4477 <affects base="0.9.6" version="0.9.6k"/>
4478 <affects base="0.9.6" version="0.9.6l"/>
4479 <affects base="0.9.6" version="0.9.6m"/>
4480 <fixed base="0.9.7" version="0.9.7l" date="20060928"/>
4481 <fixed base="0.9.8" version="0.9.8d" date="20060928"/>
4483 <advisory url="/news/secadv/20060928.txt"/>
4484 <reported source="openssl"/>
4487 A flaw in the SSLv2 client code was discovered. When a client
4488 application used OpenSSL to create an SSLv2 connection to a malicious
4489 server, that server could cause the client to crash.
4493 <issue public="20071012">
4494 <cve name="2007-4995"/>
4495 <affects base="0.9.8" version="0.9.8"/>
4496 <affects base="0.9.8" version="0.9.8a"/>
4497 <affects base="0.9.8" version="0.9.8b"/>
4498 <affects base="0.9.8" version="0.9.8c"/>
4499 <affects base="0.9.8" version="0.9.8d"/>
4500 <affects base="0.9.8" version="0.9.8e"/>
4501 <fixed base="0.9.8" version="0.9.8f" date="20071012"/>
4502 <advisory url="/news/secadv/20071012.txt"/>
4503 <reported source="Andy Polyakov"/>
4506 A flaw in DTLS support. An attacker
4507 could create a malicious client or server that could trigger a heap
4508 overflow. This is possibly exploitable to run arbitrary code, but it has
4513 <issue public="20071012">
4514 <cve name="2007-5135"/>
4515 <affects base="0.9.8" version="0.9.8"/>
4516 <affects base="0.9.8" version="0.9.8a"/>
4517 <affects base="0.9.8" version="0.9.8b"/>
4518 <affects base="0.9.8" version="0.9.8c"/>
4519 <affects base="0.9.8" version="0.9.8d"/>
4520 <affects base="0.9.8" version="0.9.8e"/>
4521 <fixed base="0.9.8" version="0.9.8f" date="20071012"/>
4522 <advisory url="/news/secadv/20071012.txt"/>
4523 <reported source="Moritz Jodeit"/>
4526 A flaw was found in the SSL_get_shared_ciphers() utility function. An
4527 attacker could send a list of ciphers to an application that used this
4528 function and overrun a buffer with a single byte. Few
4529 applications make use of this vulnerable function and generally it is used
4530 only when applications are compiled for debugging.
4534 <issue public="20071129">
4535 <cve name="2007-5502"/>
4536 <advisory url="/news/secadv/20071129.txt"/>
4537 <reported source="Geoff Lowe"/>
4540 The PRNG implementation for the OpenSSL FIPS Object Module 1.1.1 does
4541 not perform auto-seeding during the FIPS self-test, which generates
4542 random data that is more predictable than expected and makes it easier
4543 for attackers to bypass protection mechanisms that rely on the
4548 <issue public="20080528">
4549 <cve name="2008-0891"/>
4550 <affects base="0.9.8" version="0.9.8f"/>
4551 <affects base="0.9.8" version="0.9.8g"/>
4552 <fixed base="0.9.8" version="0.9.8h" date="20080528"/>
4553 <advisory url="/news/secadv/20080528.txt"/>
4554 <reported source="codenomicon"/>
4556 Testing using the Codenomicon TLS test suite discovered a flaw in the
4557 handling of server name extension data in OpenSSL 0.9.8f and OpenSSL
4558 0.9.8g. If OpenSSL has been compiled using the non-default TLS server
4559 name extensions, a remote attacker could send a carefully crafted
4560 packet to a server application using OpenSSL and cause it to crash.
4564 <issue public="20080528">
4565 <cve name="2008-1672"/>
4566 <affects base="0.9.8" version="0.9.8f"/>
4567 <affects base="0.9.8" version="0.9.8g"/>
4568 <fixed base="0.9.8" version="0.9.8h" date="20080528"/>
4569 <advisory url="/news/secadv/20080528.txt"/>
4570 <reported source="codenomicon"/>
4572 Testing using the Codenomicon TLS test suite discovered a flaw if the
4573 'Server Key exchange message' is omitted from a TLS handshake in
4574 OpenSSL 0.9.8f and OpenSSL 0.9.8g. If a client connects to a
4575 malicious server with particular cipher suites, the server could cause
4576 the client to crash.
4580 <issue public="20090107">
4581 <cve name="2008-5077"/>
4582 <affects base="0.9.8" version="0.9.8"/>
4583 <affects base="0.9.8" version="0.9.8a"/>
4584 <affects base="0.9.8" version="0.9.8b"/>
4585 <affects base="0.9.8" version="0.9.8c"/>
4586 <affects base="0.9.8" version="0.9.8d"/>
4587 <affects base="0.9.8" version="0.9.8e"/>
4588 <affects base="0.9.8" version="0.9.8f"/>
4589 <affects base="0.9.8" version="0.9.8g"/>
4590 <affects base="0.9.8" version="0.9.8h"/>
4591 <affects base="0.9.8" version="0.9.8i"/>
4592 <fixed base="0.9.8" version="0.9.8j" date="20090107"/>
4593 <advisory url="/news/secadv/20090107.txt"/>
4594 <reported source="google"/>
4597 The Google Security Team discovered several functions inside OpenSSL
4598 incorrectly checked the result after calling the EVP_VerifyFinal
4599 function, allowing a malformed signature to be treated as a good
4600 signature rather than as an error. This issue affected the signature
4601 checks on DSA and ECDSA keys used with SSL/TLS. One way to exploit
4602 this flaw would be for a remote attacker who is in control of a
4603 malicious server or who can use a 'man in the middle' attack to
4604 present a malformed SSL/TLS signature from a certificate chain to a
4605 vulnerable client, bypassing validation.
4609 <issue public="20090325">
4610 <cve name="2009-0590"/>
4611 <affects base="0.9.8" version="0.9.8"/>
4612 <affects base="0.9.8" version="0.9.8a"/>
4613 <affects base="0.9.8" version="0.9.8b"/>
4614 <affects base="0.9.8" version="0.9.8c"/>
4615 <affects base="0.9.8" version="0.9.8d"/>
4616 <affects base="0.9.8" version="0.9.8e"/>
4617 <affects base="0.9.8" version="0.9.8f"/>
4618 <affects base="0.9.8" version="0.9.8g"/>
4619 <affects base="0.9.8" version="0.9.8h"/>
4620 <affects base="0.9.8" version="0.9.8i"/>
4621 <affects base="0.9.8" version="0.9.8j"/>
4622 <fixed base="0.9.8" version="0.9.8k" date="20090325"/>
4623 <advisory url="/news/secadv/20090325.txt"/>
4625 The function ASN1_STRING_print_ex() when used to print a BMPString or
4626 UniversalString will crash with an invalid memory access if the
4627 encoded length of the string is illegal. Any OpenSSL application
4628 which prints out the contents of a certificate could be affected by
4629 this bug, including SSL servers, clients and S/MIME software.
4633 <issue public="20090325">
4634 <cve name="2009-0591"/>
4635 <affects base="0.9.8" version="0.9.8h"/>
4636 <affects base="0.9.8" version="0.9.8i"/>
4637 <affects base="0.9.8" version="0.9.8j"/>
4638 <fixed base="0.9.8" version="0.9.8k" date="20090325"/>
4639 <advisory url="/news/secadv/20090325.txt"/>
4640 <reported source="Ivan Nestlerode, IBM"/>
4642 The function CMS_verify() does not correctly handle an error condition
4643 involving malformed signed attributes. This will cause an invalid set
4644 of signed attributes to appear valid and content digests will not be
4649 <issue public="20090325">
4650 <cve name="2009-0789"/>
4651 <affects base="0.9.8" version="0.9.8"/>
4652 <affects base="0.9.8" version="0.9.8a"/>
4653 <affects base="0.9.8" version="0.9.8b"/>
4654 <affects base="0.9.8" version="0.9.8c"/>
4655 <affects base="0.9.8" version="0.9.8d"/>
4656 <affects base="0.9.8" version="0.9.8e"/>
4657 <affects base="0.9.8" version="0.9.8f"/>
4658 <affects base="0.9.8" version="0.9.8g"/>
4659 <affects base="0.9.8" version="0.9.8h"/>
4660 <affects base="0.9.8" version="0.9.8i"/>
4661 <affects base="0.9.8" version="0.9.8j"/>
4662 <fixed base="0.9.8" version="0.9.8k" date="20090325"/>
4663 <reported source="Paolo Ganci"/>
4664 <advisory url="/news/secadv/20090325.txt"/>
4666 When a malformed ASN1 structure is received it's contents are freed up and
4667 zeroed and an error condition returned. On a small number of platforms where
4668 sizeof(long) < sizeof(void *) (for example WIN64) this can cause an invalid
4669 memory access later resulting in a crash when some invalid structures are
4670 read, for example RSA public keys.
4674 <issue public="20090602">
4675 <cve name="2009-1386"/>
4676 <affects base="0.9.8" version="0.9.8"/>
4677 <affects base="0.9.8" version="0.9.8a"/>
4678 <affects base="0.9.8" version="0.9.8b"/>
4679 <affects base="0.9.8" version="0.9.8c"/>
4680 <affects base="0.9.8" version="0.9.8d"/>
4681 <affects base="0.9.8" version="0.9.8e"/>
4682 <affects base="0.9.8" version="0.9.8f"/>
4683 <affects base="0.9.8" version="0.9.8g"/>
4684 <affects base="0.9.8" version="0.9.8h"/>
4685 <fixed base="0.9.8" version="0.9.8i" date="20080915"/>
4686 <reported source="Alex Lam"/>
4688 Fix a NULL pointer dereference if a DTLS server recieved
4689 ChangeCipherSpec as first record.
4690 A remote attacker could use this flaw to cause a DTLS server to crash
4694 <issue public="20091105">
4695 <cve name="2009-3555"/>
4696 <affects base="0.9.8" version="0.9.8"/>
4697 <affects base="0.9.8" version="0.9.8a"/>
4698 <affects base="0.9.8" version="0.9.8b"/>
4699 <affects base="0.9.8" version="0.9.8c"/>
4700 <affects base="0.9.8" version="0.9.8d"/>
4701 <affects base="0.9.8" version="0.9.8e"/>
4702 <affects base="0.9.8" version="0.9.8f"/>
4703 <affects base="0.9.8" version="0.9.8g"/>
4704 <affects base="0.9.8" version="0.9.8h"/>
4705 <affects base="0.9.8" version="0.9.8i"/>
4706 <affects base="0.9.8" version="0.9.8j"/>
4707 <affects base="0.9.8" version="0.9.8k"/>
4708 <affects base="0.9.8" version="0.9.8l"/>
4709 <fixed base="0.9.8" version="0.9.8m" date="20100120"/>
4710 <advisory url="/news/secadv/20091111.txt"/>
4712 Implement RFC5746 to address vulnerabilities in SSL/TLS renegotiation.
4716 <issue public="20090205">
4717 <cve name="2009-1387"/>
4718 <affects base="0.9.8" version="0.9.8"/>
4719 <affects base="0.9.8" version="0.9.8a"/>
4720 <affects base="0.9.8" version="0.9.8b"/>
4721 <affects base="0.9.8" version="0.9.8c"/>
4722 <affects base="0.9.8" version="0.9.8d"/>
4723 <affects base="0.9.8" version="0.9.8e"/>
4724 <affects base="0.9.8" version="0.9.8f"/>
4725 <affects base="0.9.8" version="0.9.8g"/>
4726 <affects base="0.9.8" version="0.9.8h"/>
4727 <affects base="0.9.8" version="0.9.8i"/>
4728 <affects base="0.9.8" version="0.9.8j"/>
4729 <affects base="0.9.8" version="0.9.8k"/>
4730 <affects base="0.9.8" version="0.9.8l"/>
4731 <fixed base="0.9.8" version="0.9.8m" date="20100120"/>
4732 <reported source="Robin Seggelmann"/>
4734 Fix denial of service flaw due in the DTLS implementation. A
4735 remote attacker could use this flaw to cause a DTLS server to crash.
4739 <issue public="20090512">
4740 <cve name="2009-1377"/>
4741 <cve name="2009-1378"/>
4742 <cve name="2009-1379"/>
4743 <affects base="0.9.8" version="0.9.8"/>
4744 <affects base="0.9.8" version="0.9.8a"/>
4745 <affects base="0.9.8" version="0.9.8b"/>
4746 <affects base="0.9.8" version="0.9.8c"/>
4747 <affects base="0.9.8" version="0.9.8d"/>
4748 <affects base="0.9.8" version="0.9.8e"/>
4749 <affects base="0.9.8" version="0.9.8f"/>
4750 <affects base="0.9.8" version="0.9.8g"/>
4751 <affects base="0.9.8" version="0.9.8h"/>
4752 <affects base="0.9.8" version="0.9.8i"/>
4753 <affects base="0.9.8" version="0.9.8j"/>
4754 <affects base="0.9.8" version="0.9.8k"/>
4755 <affects base="0.9.8" version="0.9.8l"/>
4756 <fixed base="0.9.8" version="0.9.8m" date="20100120"/>
4757 <reported source="Daniel Mentz, Robin Seggelmann"/>
4759 Fix denial of service flaws in the DTLS implementation. A
4760 remote attacker could use these flaws to cause a DTLS server to use
4761 excessive amounts of memory, or crash.
4765 <issue public="20100113">
4766 <cve name="2009-4355"/>
4767 <affects base="0.9.8" version="0.9.8"/>
4768 <affects base="0.9.8" version="0.9.8a"/>
4769 <affects base="0.9.8" version="0.9.8b"/>
4770 <affects base="0.9.8" version="0.9.8c"/>
4771 <affects base="0.9.8" version="0.9.8d"/>
4772 <affects base="0.9.8" version="0.9.8e"/>
4773 <affects base="0.9.8" version="0.9.8f"/>
4774 <affects base="0.9.8" version="0.9.8g"/>
4775 <affects base="0.9.8" version="0.9.8h"/>
4776 <affects base="0.9.8" version="0.9.8i"/>
4777 <affects base="0.9.8" version="0.9.8j"/>
4778 <affects base="0.9.8" version="0.9.8k"/>
4779 <affects base="0.9.8" version="0.9.8l"/>
4780 <fixed base="0.9.8" version="0.9.8m" date="20100120"/>
4781 <reported source="Michael K Johnson and Andy Grimm (rPath)"/>
4783 A memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c
4784 allows remote attackers to cause a denial of service
4785 via vectors that trigger incorrect calls to the CRYPTO_cleanup_all_ex_data
4790 <issue public="20100223">
4791 <cve name="2009-3245"/>
4792 <affects base="0.9.8" version="0.9.8"/>
4793 <affects base="0.9.8" version="0.9.8a"/>
4794 <affects base="0.9.8" version="0.9.8b"/>
4795 <affects base="0.9.8" version="0.9.8c"/>
4796 <affects base="0.9.8" version="0.9.8d"/>
4797 <affects base="0.9.8" version="0.9.8e"/>
4798 <affects base="0.9.8" version="0.9.8f"/>
4799 <affects base="0.9.8" version="0.9.8g"/>
4800 <affects base="0.9.8" version="0.9.8h"/>
4801 <affects base="0.9.8" version="0.9.8i"/>
4802 <affects base="0.9.8" version="0.9.8j"/>
4803 <affects base="0.9.8" version="0.9.8k"/>
4804 <affects base="0.9.8" version="0.9.8l"/>
4805 <fixed base="0.9.8" version="0.9.8m" date="20100120"/>
4806 <reported source="Martin Olsson, Neel Mehta"/>
4808 It was discovered that OpenSSL did not always check the return value of the
4809 bn_wexpand() function. An attacker able to trigger a memory allocation failure
4810 in that function could cause an application using the OpenSSL library to crash
4811 or, possibly, execute arbitrary code
4815 <issue public="20100119">
4816 <cve name="2010-0433"/>
4817 <affects base="0.9.8" version="0.9.8"/>
4818 <affects base="0.9.8" version="0.9.8a"/>
4819 <affects base="0.9.8" version="0.9.8b"/>
4820 <affects base="0.9.8" version="0.9.8c"/>
4821 <affects base="0.9.8" version="0.9.8d"/>
4822 <affects base="0.9.8" version="0.9.8e"/>
4823 <affects base="0.9.8" version="0.9.8f"/>
4824 <affects base="0.9.8" version="0.9.8g"/>
4825 <affects base="0.9.8" version="0.9.8h"/>
4826 <affects base="0.9.8" version="0.9.8i"/>
4827 <affects base="0.9.8" version="0.9.8j"/>
4828 <affects base="0.9.8" version="0.9.8k"/>
4829 <affects base="0.9.8" version="0.9.8l"/>
4830 <affects base="0.9.8" version="0.9.8m"/>
4831 <fixed base="0.9.8" version="0.9.8n" date="20100324"/>
4832 <reported source="Todd Rinaldo, Tomas Hoger (Red Hat)"/>
4834 A missing return value check flaw was discovered in OpenSSL, that could
4835 possibly cause OpenSSL to call a Kerberos library function with invalid
4836 arguments, resulting in a NULL pointer dereference crash in the MIT
4837 Kerberos library. In certain configurations, a remote attacker could use
4838 this flaw to crash a TLS/SSL server using OpenSSL by requesting Kerberos
4839 cipher suites during the TLS handshake
4843 <issue public="20100324">
4844 <cve name="2010-0740"/>
4845 <affects base="0.9.8" version="0.9.8f"/>
4846 <affects base="0.9.8" version="0.9.8g"/>
4847 <affects base="0.9.8" version="0.9.8h"/>
4848 <affects base="0.9.8" version="0.9.8i"/>
4849 <affects base="0.9.8" version="0.9.8j"/>
4850 <affects base="0.9.8" version="0.9.8k"/>
4851 <affects base="0.9.8" version="0.9.8l"/>
4852 <affects base="0.9.8" version="0.9.8m"/>
4853 <fixed base="0.9.8" version="0.9.8n" date="20100324"/>
4854 <advisory url="/news/secadv/20100324.txt"/>
4855 <reported source="Bodo Moeller and Adam Langley (Google)"/>
4857 In TLS connections, certain incorrectly formatted records can cause an
4858 OpenSSL client or server to crash due to a read attempt at NULL.
4862 <issue public="20100601">
4863 <cve name="2010-0742"/>
4864 <affects base="1.0.0" version="1.0.0"/>
4865 <affects base="0.9.8" version="0.9.8h"/>
4866 <affects base="0.9.8" version="0.9.8i"/>
4867 <affects base="0.9.8" version="0.9.8j"/>
4868 <affects base="0.9.8" version="0.9.8k"/>
4869 <affects base="0.9.8" version="0.9.8l"/>
4870 <affects base="0.9.8" version="0.9.8m"/>
4871 <affects base="0.9.8" version="0.9.8n"/>
4872 <fixed base="0.9.8" version="0.9.8o" date="20100601"/>
4873 <fixed base="1.0.0" version="1.0.0a" date="20100601"/>
4874 <advisory url="/news/secadv/20100601.txt"/>
4875 <reported source="Ronald Moesbergen"/>
4877 A flaw in the handling of CMS structures containing OriginatorInfo was found which
4878 could lead to a write to invalid memory address or double free. CMS support is
4879 disabled by default in OpenSSL 0.9.8 versions.
4883 <issue public="20100601">
4884 <cve name="2010-1633"/>
4885 <affects base="1.0.0" version="1.0.0"/>
4886 <fixed base="1.0.0" version="1.0.0a" date="20100601"/>
4887 <advisory url="/news/secadv/20100601.txt"/>
4888 <reported source="Peter-Michael Hager"/>
4890 An invalid Return value check in pkey_rsa_verifyrecover was
4891 discovered. When verification recovery fails for RSA keys an
4892 uninitialised buffer with an undefined length is returned instead of
4893 an error code. This could lead to an information leak.
4897 <issue public="20101116">
4898 <cve name="2010-3864"/>
4899 <affects base="0.9.8" version="0.9.8"/>
4900 <affects base="0.9.8" version="0.9.8a"/>
4901 <affects base="0.9.8" version="0.9.8b"/>
4902 <affects base="0.9.8" version="0.9.8c"/>
4903 <affects base="0.9.8" version="0.9.8d"/>
4904 <affects base="0.9.8" version="0.9.8e"/>
4905 <affects base="0.9.8" version="0.9.8f"/>
4906 <affects base="0.9.8" version="0.9.8g"/>
4907 <affects base="0.9.8" version="0.9.8h"/>
4908 <affects base="0.9.8" version="0.9.8i"/>
4909 <affects base="0.9.8" version="0.9.8j"/>
4910 <affects base="0.9.8" version="0.9.8k"/>
4911 <affects base="0.9.8" version="0.9.8l"/>
4912 <affects base="0.9.8" version="0.9.8m"/>
4913 <affects base="0.9.8" version="0.9.8n"/>
4914 <affects base="0.9.8" version="0.9.8o"/>
4915 <affects base="1.0.0" version="1.0.0"/>
4916 <affects base="1.0.0" version="1.0.0a"/>
4917 <fixed base="1.0.0" version="1.0.0b" date="20101116"/>
4918 <fixed base="0.9.8" version="0.9.8p" date="20101116"/>
4919 <advisory url="/news/secadv/20101116.txt"/>
4920 <reported source="Rob Hulswit"/>
4923 A flaw in the OpenSSL TLS server extension code parsing which on
4924 affected servers can be exploited in a buffer overrun attack. Any
4925 OpenSSL based TLS server is vulnerable if it is multi-threaded and
4926 uses OpenSSL's internal caching mechanism. Servers that are
4927 multi-process and/or disable internal session caching are NOT
4933 <issue public="20101202">
4934 <cve name="2010-4252"/>
4935 <affects base="1.0.0" version="1.0.0"/>
4936 <affects base="1.0.0" version="1.0.0a"/>
4937 <affects base="1.0.0" version="1.0.0b"/>
4938 <fixed base="1.0.0" version="1.0.0c" date="20101202"/>
4939 <advisory url="/news/secadv/20101202.txt"/>
4940 <reported source="Sebastian Martini"/>
4942 An error in OpenSSL's experimental J-PAKE implementation which could
4943 lead to successful validation by someone with no knowledge of the
4944 shared secret. The OpenSSL Team still consider the implementation of
4945 J-PAKE to be experimental and is not compiled by default.
4949 <issue public="20101202">
4950 <cve name="2010-4180"/>
4951 <affects base="0.9.8" version="0.9.8"/>
4952 <affects base="0.9.8" version="0.9.8a"/>
4953 <affects base="0.9.8" version="0.9.8b"/>
4954 <affects base="0.9.8" version="0.9.8c"/>
4955 <affects base="0.9.8" version="0.9.8d"/>
4956 <affects base="0.9.8" version="0.9.8e"/>
4957 <affects base="0.9.8" version="0.9.8f"/>
4958 <affects base="0.9.8" version="0.9.8g"/>
4959 <affects base="0.9.8" version="0.9.8h"/>
4960 <affects base="0.9.8" version="0.9.8i"/>
4961 <affects base="0.9.8" version="0.9.8j"/>
4962 <affects base="0.9.8" version="0.9.8k"/>
4963 <affects base="0.9.8" version="0.9.8l"/>
4964 <affects base="0.9.8" version="0.9.8m"/>
4965 <affects base="0.9.8" version="0.9.8n"/>
4966 <affects base="0.9.8" version="0.9.8o"/>
4967 <affects base="0.9.8" version="0.9.8p"/>
4968 <affects base="1.0.0" version="1.0.0"/>
4969 <affects base="1.0.0" version="1.0.0a"/>
4970 <affects base="1.0.0" version="1.0.0b"/>
4971 <fixed base="1.0.0" version="1.0.0c" date="20101202"/>
4972 <fixed base="0.9.8" version="0.9.8q" date="20101202"/>
4973 <advisory url="/news/secadv/20101202.txt"/>
4974 <reported source="Martin Rex"/>
4976 A flaw in the OpenSSL SSL/TLS server code where an old bug workaround
4977 allows malicious clients to modify the stored session cache
4978 ciphersuite. In some cases the ciphersuite can be downgraded to a
4979 weaker one on subsequent connections. This issue only affects OpenSSL
4980 based SSL/TLS server if it uses OpenSSL's internal caching mechanisms
4981 and the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG flag (many
4982 applications enable this by using the SSL_OP_ALL option).
4986 <issue public="20110906">
4987 <cve name="2011-3207"/>
4988 <affects base="1.0.0" version="1.0.0"/>
4989 <affects base="1.0.0" version="1.0.0a"/>
4990 <affects base="1.0.0" version="1.0.0b"/>
4991 <affects base="1.0.0" version="1.0.0c"/>
4992 <affects base="1.0.0" version="1.0.0d"/>
4993 <fixed base="1.0.0" version="1.0.0e" date="20110906"/>
4994 <advisory url="/news/secadv/20110906.txt"/>
4995 <reported source="Kaspar Brand"/>
4997 Under certain circumstances OpenSSL's internal certificate
4998 verification routines can incorrectly accept a CRL whose nextUpdate
4999 field is in the past. Applications are only affected by the CRL
5000 checking vulnerability if they enable OpenSSL's internal CRL checking
5001 which is off by default. Applications which use their own custom CRL
5002 checking (such as Apache) are not affected.
5006 <issue public="20110906">
5007 <cve name="2011-3210"/>
5008 <affects base="0.9.8" version="0.9.8"/>
5009 <affects base="0.9.8" version="0.9.8a"/>
5010 <affects base="0.9.8" version="0.9.8b"/>
5011 <affects base="0.9.8" version="0.9.8c"/>
5012 <affects base="0.9.8" version="0.9.8d"/>
5013 <affects base="0.9.8" version="0.9.8e"/>
5014 <affects base="0.9.8" version="0.9.8f"/>
5015 <affects base="0.9.8" version="0.9.8g"/>
5016 <affects base="0.9.8" version="0.9.8h"/>
5017 <affects base="0.9.8" version="0.9.8i"/>
5018 <affects base="0.9.8" version="0.9.8j"/>
5019 <affects base="0.9.8" version="0.9.8k"/>
5020 <affects base="0.9.8" version="0.9.8l"/>
5021 <affects base="0.9.8" version="0.9.8m"/>
5022 <affects base="0.9.8" version="0.9.8n"/>
5023 <affects base="0.9.8" version="0.9.8o"/>
5024 <affects base="0.9.8" version="0.9.8p"/>
5025 <affects base="0.9.8" version="0.9.8q"/>
5026 <affects base="0.9.8" version="0.9.8r"/>
5027 <affects base="1.0.0" version="1.0.0"/>
5028 <affects base="1.0.0" version="1.0.0a"/>
5029 <affects base="1.0.0" version="1.0.0b"/>
5030 <affects base="1.0.0" version="1.0.0c"/>
5031 <affects base="1.0.0" version="1.0.0d"/>
5032 <fixed base="1.0.0" version="1.0.0e" date="20110906"/>
5033 <advisory url="/news/secadv/20110906.txt"/>
5034 <reported source="Adam Langley"/>
5036 OpenSSL server code for ephemeral ECDH ciphersuites is not
5037 thread-safe, and furthermore can crash if a client violates the
5038 protocol by sending handshake messages in incorrect order. Only
5039 server-side applications that specifically support ephemeral ECDH
5040 ciphersuites are affected, and only if ephemeral ECDH ciphersuites are
5041 enabled in the configuration.
5045 <issue public="20120104">
5046 <cve name="2011-4108"/>
5047 <affects base="0.9.8" version="0.9.8"/>
5048 <affects base="0.9.8" version="0.9.8a"/>
5049 <affects base="0.9.8" version="0.9.8b"/>
5050 <affects base="0.9.8" version="0.9.8c"/>
5051 <affects base="0.9.8" version="0.9.8d"/>
5052 <affects base="0.9.8" version="0.9.8e"/>
5053 <affects base="0.9.8" version="0.9.8f"/>
5054 <affects base="0.9.8" version="0.9.8g"/>
5055 <affects base="0.9.8" version="0.9.8h"/>
5056 <affects base="0.9.8" version="0.9.8i"/>
5057 <affects base="0.9.8" version="0.9.8j"/>
5058 <affects base="0.9.8" version="0.9.8k"/>
5059 <affects base="0.9.8" version="0.9.8l"/>
5060 <affects base="0.9.8" version="0.9.8m"/>
5061 <affects base="0.9.8" version="0.9.8n"/>
5062 <affects base="0.9.8" version="0.9.8o"/>
5063 <affects base="0.9.8" version="0.9.8p"/>
5064 <affects base="0.9.8" version="0.9.8q"/>
5065 <affects base="0.9.8" version="0.9.8r"/>
5066 <affects base="1.0.0" version="1.0.0"/>
5067 <affects base="1.0.0" version="1.0.0a"/>
5068 <affects base="1.0.0" version="1.0.0b"/>
5069 <affects base="1.0.0" version="1.0.0c"/>
5070 <affects base="1.0.0" version="1.0.0d"/>
5071 <affects base="1.0.0" version="1.0.0e"/>
5072 <fixed base="1.0.0" version="1.0.0f" date="20120104"/>
5073 <fixed base="0.9.8" version="0.9.8s" date="20120104"/>
5074 <advisory url="/news/secadv/20120104.txt"/>
5075 <reported source="Nadhem Alfardan and Kenny Paterson"/>
5077 OpenSSL was susceptable an extension of the
5078 Vaudenay padding oracle attack on CBC mode encryption which enables an
5079 efficient plaintext recovery attack against the OpenSSL implementation
5080 of DTLS by exploiting timing differences arising during
5081 decryption processing.
5085 <issue public="20120104">
5086 <cve name="2011-4109"/>
5087 <affects base="0.9.8" version="0.9.8"/>
5088 <affects base="0.9.8" version="0.9.8a"/>
5089 <affects base="0.9.8" version="0.9.8b"/>
5090 <affects base="0.9.8" version="0.9.8c"/>
5091 <affects base="0.9.8" version="0.9.8d"/>
5092 <affects base="0.9.8" version="0.9.8e"/>
5093 <affects base="0.9.8" version="0.9.8f"/>
5094 <affects base="0.9.8" version="0.9.8g"/>
5095 <affects base="0.9.8" version="0.9.8h"/>
5096 <affects base="0.9.8" version="0.9.8i"/>
5097 <affects base="0.9.8" version="0.9.8j"/>
5098 <affects base="0.9.8" version="0.9.8k"/>
5099 <affects base="0.9.8" version="0.9.8l"/>
5100 <affects base="0.9.8" version="0.9.8m"/>
5101 <affects base="0.9.8" version="0.9.8n"/>
5102 <affects base="0.9.8" version="0.9.8o"/>
5103 <affects base="0.9.8" version="0.9.8p"/>
5104 <affects base="0.9.8" version="0.9.8q"/>
5105 <affects base="0.9.8" version="0.9.8r"/>
5106 <fixed base="0.9.8" version="0.9.8s" date="20120104"/>
5107 <advisory url="/news/secadv/20120104.txt"/>
5108 <reported source="Ben Laurie"/>
5110 If X509_V_FLAG_POLICY_CHECK is set in OpenSSL 0.9.8, then a policy
5111 check failure can lead to a double-free. The bug does not occur
5112 unless this flag is set. Users of OpenSSL 1.0.0 are not affected
5116 <issue public="20120104">
5117 <cve name="2011-4576"/>
5118 <affects base="0.9.8" version="0.9.8"/>
5119 <affects base="0.9.8" version="0.9.8a"/>
5120 <affects base="0.9.8" version="0.9.8b"/>
5121 <affects base="0.9.8" version="0.9.8c"/>
5122 <affects base="0.9.8" version="0.9.8d"/>
5123 <affects base="0.9.8" version="0.9.8e"/>
5124 <affects base="0.9.8" version="0.9.8f"/>
5125 <affects base="0.9.8" version="0.9.8g"/>
5126 <affects base="0.9.8" version="0.9.8h"/>
5127 <affects base="0.9.8" version="0.9.8i"/>
5128 <affects base="0.9.8" version="0.9.8j"/>
5129 <affects base="0.9.8" version="0.9.8k"/>
5130 <affects base="0.9.8" version="0.9.8l"/>
5131 <affects base="0.9.8" version="0.9.8m"/>
5132 <affects base="0.9.8" version="0.9.8n"/>
5133 <affects base="0.9.8" version="0.9.8o"/>
5134 <affects base="0.9.8" version="0.9.8p"/>
5135 <affects base="0.9.8" version="0.9.8q"/>
5136 <affects base="0.9.8" version="0.9.8r"/>
5137 <affects base="1.0.0" version="1.0.0"/>
5138 <affects base="1.0.0" version="1.0.0a"/>
5139 <affects base="1.0.0" version="1.0.0b"/>
5140 <affects base="1.0.0" version="1.0.0c"/>
5141 <affects base="1.0.0" version="1.0.0d"/>
5142 <affects base="1.0.0" version="1.0.0e"/>
5143 <fixed base="1.0.0" version="1.0.0f" date="20120104"/>
5144 <fixed base="0.9.8" version="0.9.8s" date="20120104"/>
5145 <advisory url="/news/secadv/20120104.txt"/>
5146 <reported source="Adam Langley"/>
5148 OpenSSL failed to clear the bytes used as
5149 block cipher padding in SSL 3.0 records which could leak
5150 the contents of memory in some circumstances.
5154 <issue public="20120104">
5155 <cve name="2011-4577"/>
5156 <affects base="0.9.8" version="0.9.8"/>
5157 <affects base="0.9.8" version="0.9.8a"/>
5158 <affects base="0.9.8" version="0.9.8b"/>
5159 <affects base="0.9.8" version="0.9.8c"/>
5160 <affects base="0.9.8" version="0.9.8d"/>
5161 <affects base="0.9.8" version="0.9.8e"/>
5162 <affects base="0.9.8" version="0.9.8f"/>
5163 <affects base="0.9.8" version="0.9.8g"/>
5164 <affects base="0.9.8" version="0.9.8h"/>
5165 <affects base="0.9.8" version="0.9.8i"/>
5166 <affects base="0.9.8" version="0.9.8j"/>
5167 <affects base="0.9.8" version="0.9.8k"/>
5168 <affects base="0.9.8" version="0.9.8l"/>
5169 <affects base="0.9.8" version="0.9.8m"/>
5170 <affects base="0.9.8" version="0.9.8n"/>
5171 <affects base="0.9.8" version="0.9.8o"/>
5172 <affects base="0.9.8" version="0.9.8p"/>
5173 <affects base="0.9.8" version="0.9.8q"/>
5174 <affects base="0.9.8" version="0.9.8r"/>
5175 <affects base="1.0.0" version="1.0.0"/>
5176 <affects base="1.0.0" version="1.0.0a"/>
5177 <affects base="1.0.0" version="1.0.0b"/>
5178 <affects base="1.0.0" version="1.0.0c"/>
5179 <affects base="1.0.0" version="1.0.0d"/>
5180 <affects base="1.0.0" version="1.0.0e"/>
5181 <fixed base="1.0.0" version="1.0.0f" date="20120104"/>
5182 <fixed base="0.9.8" version="0.9.8s" date="20120104"/>
5183 <advisory url="/news/secadv/20120104.txt"/>
5184 <reported source="Andrew Chi"/>
5186 RFC 3779 data can be included in certificates, and if it is malformed,
5187 may trigger an assertion failure. This could be used in a
5188 denial-of-service attack. Builds of OpenSSL are only vulnerable if configured with
5189 "enable-rfc3779", which is not a default.
5193 <issue public="20120104">
5194 <cve name="2011-4619"/>
5195 <affects base="0.9.8" version="0.9.8"/>
5196 <affects base="0.9.8" version="0.9.8a"/>
5197 <affects base="0.9.8" version="0.9.8b"/>
5198 <affects base="0.9.8" version="0.9.8c"/>
5199 <affects base="0.9.8" version="0.9.8d"/>
5200 <affects base="0.9.8" version="0.9.8e"/>
5201 <affects base="0.9.8" version="0.9.8f"/>
5202 <affects base="0.9.8" version="0.9.8g"/>
5203 <affects base="0.9.8" version="0.9.8h"/>
5204 <affects base="0.9.8" version="0.9.8i"/>
5205 <affects base="0.9.8" version="0.9.8j"/>
5206 <affects base="0.9.8" version="0.9.8k"/>
5207 <affects base="0.9.8" version="0.9.8l"/>
5208 <affects base="0.9.8" version="0.9.8m"/>
5209 <affects base="0.9.8" version="0.9.8n"/>
5210 <affects base="0.9.8" version="0.9.8o"/>
5211 <affects base="0.9.8" version="0.9.8p"/>
5212 <affects base="0.9.8" version="0.9.8q"/>
5213 <affects base="0.9.8" version="0.9.8r"/>
5214 <affects base="1.0.0" version="1.0.0"/>
5215 <affects base="1.0.0" version="1.0.0a"/>
5216 <affects base="1.0.0" version="1.0.0b"/>
5217 <affects base="1.0.0" version="1.0.0c"/>
5218 <affects base="1.0.0" version="1.0.0d"/>
5219 <affects base="1.0.0" version="1.0.0e"/>
5220 <fixed base="1.0.0" version="1.0.0f" date="20120104"/>
5221 <fixed base="0.9.8" version="0.9.8s" date="20120104"/>
5222 <advisory url="/news/secadv/20120104.txt"/>
5223 <reported source="George Kadianakis"/>
5225 Support for handshake restarts for server gated cryptograpy (SGC) can
5226 be used in a denial-of-service attack.
5230 <issue public="20120104">
5231 <cve name="2012-0027"/>
5232 <affects base="1.0.0" version="1.0.0"/>
5233 <affects base="1.0.0" version="1.0.0a"/>
5234 <affects base="1.0.0" version="1.0.0b"/>
5235 <affects base="1.0.0" version="1.0.0c"/>
5236 <affects base="1.0.0" version="1.0.0d"/>
5237 <affects base="1.0.0" version="1.0.0e"/>
5238 <fixed base="1.0.0" version="1.0.0f" date="20120104"/>
5239 <advisory url="/news/secadv/20120104.txt"/>
5240 <reported source="Andrey Kulikov"/>
5242 A malicious TLS client can send an invalid set of GOST parameters
5243 which will cause the server to crash due to lack of error checking.
5244 This could be used in a denial-of-service attack.
5245 Only users of the OpenSSL GOST ENGINE are affected by this bug.
5249 <issue public="20120104">
5250 <cve name="2012-0050"/>
5251 <affects base="0.9.8" version="0.9.8s"/>
5252 <affects base="1.0.0" version="1.0.0f"/>
5253 <fixed base="1.0.0" version="1.0.0g" date="20120118"/>
5254 <fixed base="0.9.8" version="0.9.8t" date="20120118"/>
5255 <advisory url="/news/secadv/20120118.txt"/>
5256 <reported source="Antonio Martin"/>
5258 A flaw in the fix to CVE-2011-4108 can be exploited in a denial of
5259 service attack. Only DTLS applications are affected.
5263 <issue public="20120312">
5264 <cve name="2012-0884"/>
5265 <affects base="0.9.8" version="0.9.8"/>
5266 <affects base="0.9.8" version="0.9.8a"/>
5267 <affects base="0.9.8" version="0.9.8b"/>
5268 <affects base="0.9.8" version="0.9.8c"/>
5269 <affects base="0.9.8" version="0.9.8d"/>
5270 <affects base="0.9.8" version="0.9.8e"/>
5271 <affects base="0.9.8" version="0.9.8f"/>
5272 <affects base="0.9.8" version="0.9.8g"/>
5273 <affects base="0.9.8" version="0.9.8h"/>
5274 <affects base="0.9.8" version="0.9.8i"/>
5275 <affects base="0.9.8" version="0.9.8j"/>
5276 <affects base="0.9.8" version="0.9.8k"/>
5277 <affects base="0.9.8" version="0.9.8l"/>
5278 <affects base="0.9.8" version="0.9.8m"/>
5279 <affects base="0.9.8" version="0.9.8n"/>
5280 <affects base="0.9.8" version="0.9.8o"/>
5281 <affects base="0.9.8" version="0.9.8p"/>
5282 <affects base="0.9.8" version="0.9.8q"/>
5283 <affects base="0.9.8" version="0.9.8r"/>
5284 <affects base="0.9.8" version="0.9.8s"/>
5285 <affects base="0.9.8" version="0.9.8t"/>
5286 <affects base="1.0.0" version="1.0.0"/>
5287 <affects base="1.0.0" version="1.0.0a"/>
5288 <affects base="1.0.0" version="1.0.0b"/>
5289 <affects base="1.0.0" version="1.0.0c"/>
5290 <affects base="1.0.0" version="1.0.0d"/>
5291 <affects base="1.0.0" version="1.0.0e"/>
5292 <affects base="1.0.0" version="1.0.0f"/>
5293 <affects base="1.0.0" version="1.0.0g"/>
5294 <fixed base="1.0.0" version="1.0.0h" date="20120312"/>
5295 <fixed base="0.9.8" version="0.9.8u" date="20120312"/>
5296 <advisory url="/news/secadv/20120312.txt"/>
5297 <reported source="Ivan Nestlerode"/>
5299 A weakness in the OpenSSL CMS and PKCS #7 code can be exploited
5300 using Bleichenbacher's attack on PKCS #1 v1.5 RSA padding
5301 also known as the million message attack (MMA).
5302 Only users of CMS, PKCS #7, or S/MIME decryption operations are affected,
5303 SSL/TLS applications are not affected by this issue.
5308 <issue public="20110208">
5309 <cve name="2011-0014"/>
5310 <affects base="0.9.8" version="0.9.8h"/>
5311 <affects base="0.9.8" version="0.9.8i"/>
5312 <affects base="0.9.8" version="0.9.8j"/>
5313 <affects base="0.9.8" version="0.9.8k"/>
5314 <affects base="0.9.8" version="0.9.8l"/>
5315 <affects base="0.9.8" version="0.9.8m"/>
5316 <affects base="0.9.8" version="0.9.8n"/>
5317 <affects base="0.9.8" version="0.9.8o"/>
5318 <affects base="0.9.8" version="0.9.8p"/>
5319 <affects base="0.9.8" version="0.9.8q"/>
5320 <affects base="1.0.0" version="1.0.0"/>
5321 <affects base="1.0.0" version="1.0.0a"/>
5322 <affects base="1.0.0" version="1.0.0b"/>
5323 <affects base="1.0.0" version="1.0.0c"/>
5324 <fixed base="1.0.0" version="1.0.0d" date="20110208"/>
5325 <fixed base="0.9.8" version="0.9.8r" date="20110208"/>
5326 <advisory url="/news/secadv/20110208.txt"/>
5327 <reported source="Neel Mehta"/>
5329 A buffer over-read flaw was discovered in the way OpenSSL parsed the
5330 Certificate Status Request TLS extensions in ClientHello TLS handshake
5331 messages. A remote attacker could possibly use this flaw to crash an SSL
5332 server using the affected OpenSSL functionality.
5336 <issue public="20120424">
5337 <cve name="2012-2131"/>
5338 <affects base="0.9.8" version="0.9.8v"/>
5339 <fixed base="0.9.8" version="0.9.8w" date="20120424"/>
5340 <advisory url="/news/secadv/20120424.txt"/>
5341 <reported source="Red Hat"/>
5343 It was discovered that the fix for CVE-2012-2110 released on 19 Apr
5344 2012 was not sufficient to correct the issue for OpenSSL 0.9.8. This
5345 issue only affects OpenSSL 0.9.8v. OpenSSL 1.0.1a and 1.0.0i already
5346 contain a patch sufficient to correct CVE-2012-2110.
5351 <issue public="20120419">
5352 <cve name="2012-2110"/>
5353 <affects base="0.9.8" version="0.9.8"/>
5354 <affects base="0.9.8" version="0.9.8a"/>
5355 <affects base="0.9.8" version="0.9.8b"/>
5356 <affects base="0.9.8" version="0.9.8c"/>
5357 <affects base="0.9.8" version="0.9.8d"/>
5358 <affects base="0.9.8" version="0.9.8e"/>
5359 <affects base="0.9.8" version="0.9.8f"/>
5360 <affects base="0.9.8" version="0.9.8g"/>
5361 <affects base="0.9.8" version="0.9.8h"/>
5362 <affects base="0.9.8" version="0.9.8i"/>
5363 <affects base="0.9.8" version="0.9.8j"/>
5364 <affects base="0.9.8" version="0.9.8k"/>
5365 <affects base="0.9.8" version="0.9.8l"/>
5366 <affects base="0.9.8" version="0.9.8m"/>
5367 <affects base="0.9.8" version="0.9.8n"/>
5368 <affects base="0.9.8" version="0.9.8o"/>
5369 <affects base="0.9.8" version="0.9.8p"/>
5370 <affects base="0.9.8" version="0.9.8q"/>
5371 <affects base="0.9.8" version="0.9.8r"/>
5372 <affects base="0.9.8" version="0.9.8s"/>
5373 <affects base="0.9.8" version="0.9.8t"/>
5374 <affects base="0.9.8" version="0.9.8u"/>
5375 <affects base="1.0.0" version="1.0.0"/>
5376 <affects base="1.0.0" version="1.0.0a"/>
5377 <affects base="1.0.0" version="1.0.0b"/>
5378 <affects base="1.0.0" version="1.0.0c"/>
5379 <affects base="1.0.0" version="1.0.0d"/>
5380 <affects base="1.0.0" version="1.0.0e"/>
5381 <affects base="1.0.0" version="1.0.0f"/>
5382 <affects base="1.0.0" version="1.0.0g"/>
5383 <affects base="1.0.1" version="1.0.1"/>
5384 <fixed base="1.0.1" version="1.0.1a" date="20120419"/>
5385 <fixed base="1.0.0" version="1.0.0i" date="20120419"/>
5386 <fixed base="0.9.8" version="0.9.8v" date="20120419"/>
5387 <advisory url="/news/secadv/20120419.txt"/>
5388 <reported source="Tavis Ormandy"/>
5390 Multiple numeric conversion errors, leading to a buffer overflow, were
5391 found in the way OpenSSL parsed ASN.1 (Abstract Syntax Notation One) data
5392 from BIO (OpenSSL's I/O abstraction) inputs. Specially-crafted DER
5393 (Distinguished Encoding Rules) encoded data read from a file or other BIO
5394 input could cause an application using the OpenSSL library to crash or,
5395 potentially, execute arbitrary code.
5399 <issue public="20120510">
5400 <cve name="2012-2333"/>
5401 <affects base="0.9.8" version="0.9.8"/>
5402 <affects base="0.9.8" version="0.9.8a"/>
5403 <affects base="0.9.8" version="0.9.8b"/>
5404 <affects base="0.9.8" version="0.9.8c"/>
5405 <affects base="0.9.8" version="0.9.8d"/>
5406 <affects base="0.9.8" version="0.9.8e"/>
5407 <affects base="0.9.8" version="0.9.8f"/>
5408 <affects base="0.9.8" version="0.9.8g"/>
5409 <affects base="0.9.8" version="0.9.8h"/>
5410 <affects base="0.9.8" version="0.9.8i"/>
5411 <affects base="0.9.8" version="0.9.8j"/>
5412 <affects base="0.9.8" version="0.9.8k"/>
5413 <affects base="0.9.8" version="0.9.8l"/>
5414 <affects base="0.9.8" version="0.9.8m"/>
5415 <affects base="0.9.8" version="0.9.8n"/>
5416 <affects base="0.9.8" version="0.9.8o"/>
5417 <affects base="0.9.8" version="0.9.8p"/>
5418 <affects base="0.9.8" version="0.9.8q"/>
5419 <affects base="0.9.8" version="0.9.8r"/>
5420 <affects base="0.9.8" version="0.9.8s"/>
5421 <affects base="0.9.8" version="0.9.8t"/>
5422 <affects base="0.9.8" version="0.9.8u"/>
5423 <affects base="0.9.8" version="0.9.8v"/>
5424 <affects base="0.9.8" version="0.9.8w"/>
5425 <affects base="1.0.0" version="1.0.0"/>
5426 <affects base="1.0.0" version="1.0.0a"/>
5427 <affects base="1.0.0" version="1.0.0b"/>
5428 <affects base="1.0.0" version="1.0.0c"/>
5429 <affects base="1.0.0" version="1.0.0d"/>
5430 <affects base="1.0.0" version="1.0.0e"/>
5431 <affects base="1.0.0" version="1.0.0f"/>
5432 <affects base="1.0.0" version="1.0.0g"/>
5433 <affects base="1.0.0" version="1.0.0i"/>
5434 <affects base="1.0.1" version="1.0.1"/>
5435 <affects base="1.0.1" version="1.0.1a"/>
5436 <affects base="1.0.1" version="1.0.1b"/>
5437 <fixed base="1.0.1" version="1.0.1c" date="20120510"/>
5438 <fixed base="1.0.0" version="1.0.0j" date="20120510"/>
5439 <fixed base="0.9.8" version="0.9.8x" date="20120510"/>
5440 <advisory url="/news/secadv/20120510.txt"/>
5441 <reported source="Codenomicon"/>
5443 An integer underflow flaw, leading to a buffer over-read, was found in
5444 the way OpenSSL handled TLS 1.1, TLS 1.2, and DTLS (Datagram Transport
5445 Layer Security) application data record lengths when using a block
5446 cipher in CBC (cipher-block chaining) mode. A malicious TLS 1.1, TLS
5447 1.2, or DTLS client or server could use this flaw to crash its connection
5452 <issue public="20130204">
5453 <cve name="2013-0169"/>
5454 <affects base="0.9.8" version="0.9.8"/>
5455 <affects base="0.9.8" version="0.9.8a"/>
5456 <affects base="0.9.8" version="0.9.8b"/>
5457 <affects base="0.9.8" version="0.9.8c"/>
5458 <affects base="0.9.8" version="0.9.8d"/>
5459 <affects base="0.9.8" version="0.9.8e"/>
5460 <affects base="0.9.8" version="0.9.8f"/>
5461 <affects base="0.9.8" version="0.9.8g"/>
5462 <affects base="0.9.8" version="0.9.8h"/>
5463 <affects base="0.9.8" version="0.9.8i"/>
5464 <affects base="0.9.8" version="0.9.8j"/>
5465 <affects base="0.9.8" version="0.9.8k"/>
5466 <affects base="0.9.8" version="0.9.8l"/>
5467 <affects base="0.9.8" version="0.9.8m"/>
5468 <affects base="0.9.8" version="0.9.8n"/>
5469 <affects base="0.9.8" version="0.9.8o"/>
5470 <affects base="0.9.8" version="0.9.8p"/>
5471 <affects base="0.9.8" version="0.9.8q"/>
5472 <affects base="0.9.8" version="0.9.8r"/>
5473 <affects base="0.9.8" version="0.9.8s"/>
5474 <affects base="0.9.8" version="0.9.8t"/>
5475 <affects base="0.9.8" version="0.9.8u"/>
5476 <affects base="0.9.8" version="0.9.8v"/>
5477 <affects base="0.9.8" version="0.9.8w"/>
5478 <affects base="0.9.8" version="0.9.8x"/>
5479 <affects base="1.0.0" version="1.0.0"/>
5480 <affects base="1.0.0" version="1.0.0a"/>
5481 <affects base="1.0.0" version="1.0.0b"/>
5482 <affects base="1.0.0" version="1.0.0c"/>
5483 <affects base="1.0.0" version="1.0.0d"/>
5484 <affects base="1.0.0" version="1.0.0e"/>
5485 <affects base="1.0.0" version="1.0.0f"/>
5486 <affects base="1.0.0" version="1.0.0g"/>
5487 <affects base="1.0.0" version="1.0.0i"/>
5488 <affects base="1.0.0" version="1.0.0j"/>
5489 <affects base="1.0.1" version="1.0.1"/>
5490 <affects base="1.0.1" version="1.0.1a"/>
5491 <affects base="1.0.1" version="1.0.1b"/>
5492 <affects base="1.0.1" version="1.0.1c"/>
5493 <fixed base="1.0.1" version="1.0.1d" date="20130205"/>
5494 <fixed base="1.0.0" version="1.0.0k" date="20130205"/>
5495 <fixed base="0.9.8" version="0.9.8y" date="20130205"/>
5496 <advisory url="/news/secadv/20130205.txt"/>
5497 <reported source="Nadhem J. AlFardan and Kenneth G. Paterson of the Information Security Group Royal Holloway, University of London"/>
5499 A weakness in the handling of CBC ciphersuites in SSL, TLS and DTLS which could
5500 lead to plaintext recovery by exploiting timing differences
5501 arising during MAC processing.
5505 <issue public="20130205">
5506 <cve name="2012-2686"/>
5507 <affects base="1.0.1" version="1.0.1"/>
5508 <affects base="1.0.1" version="1.0.1a"/>
5509 <affects base="1.0.1" version="1.0.1b"/>
5510 <affects base="1.0.1" version="1.0.1c"/>
5511 <fixed base="1.0.1" version="1.0.1d" date="20130205"/>
5512 <advisory url="/news/secadv/20130205.txt"/>
5513 <reported source="Adam Langley and Wolfgang Ettlinger"/>
5515 A flaw in the OpenSSL handling of CBC ciphersuites in TLS 1.1 and TLS 1.2 on
5516 AES-NI supporting platforms can be exploited in a DoS attack.
5520 <issue public="20130205">
5521 <cve name="2013-0166"/>
5522 <affects base="0.9.8" version="0.9.8"/>
5523 <affects base="0.9.8" version="0.9.8a"/>
5524 <affects base="0.9.8" version="0.9.8b"/>
5525 <affects base="0.9.8" version="0.9.8c"/>
5526 <affects base="0.9.8" version="0.9.8d"/>
5527 <affects base="0.9.8" version="0.9.8e"/>
5528 <affects base="0.9.8" version="0.9.8f"/>
5529 <affects base="0.9.8" version="0.9.8g"/>
5530 <affects base="0.9.8" version="0.9.8h"/>
5531 <affects base="0.9.8" version="0.9.8i"/>
5532 <affects base="0.9.8" version="0.9.8j"/>
5533 <affects base="0.9.8" version="0.9.8k"/>
5534 <affects base="0.9.8" version="0.9.8l"/>
5535 <affects base="0.9.8" version="0.9.8m"/>
5536 <affects base="0.9.8" version="0.9.8n"/>
5537 <affects base="0.9.8" version="0.9.8o"/>
5538 <affects base="0.9.8" version="0.9.8p"/>
5539 <affects base="0.9.8" version="0.9.8q"/>
5540 <affects base="0.9.8" version="0.9.8r"/>
5541 <affects base="0.9.8" version="0.9.8s"/>
5542 <affects base="0.9.8" version="0.9.8t"/>
5543 <affects base="0.9.8" version="0.9.8u"/>
5544 <affects base="0.9.8" version="0.9.8v"/>
5545 <affects base="0.9.8" version="0.9.8w"/>
5546 <affects base="0.9.8" version="0.9.8x"/>
5547 <affects base="1.0.0" version="1.0.0"/>
5548 <affects base="1.0.0" version="1.0.0a"/>
5549 <affects base="1.0.0" version="1.0.0b"/>
5550 <affects base="1.0.0" version="1.0.0c"/>
5551 <affects base="1.0.0" version="1.0.0d"/>
5552 <affects base="1.0.0" version="1.0.0e"/>
5553 <affects base="1.0.0" version="1.0.0f"/>
5554 <affects base="1.0.0" version="1.0.0g"/>
5555 <affects base="1.0.0" version="1.0.0i"/>
5556 <affects base="1.0.0" version="1.0.0j"/>
5557 <affects base="1.0.1" version="1.0.1"/>
5558 <affects base="1.0.1" version="1.0.1a"/>
5559 <affects base="1.0.1" version="1.0.1b"/>
5560 <affects base="1.0.1" version="1.0.1c"/>
5561 <fixed base="1.0.1" version="1.0.1d" date="20130205"/>
5562 <fixed base="1.0.0" version="1.0.0k" date="20130205"/>
5563 <fixed base="0.9.8" version="0.9.8y" date="20130205"/>
5564 <advisory url="/news/secadv/20130205.txt"/>
5565 <reported source="Stephen Henson"/>
5567 A flaw in the OpenSSL handling of OCSP response verification can be exploited in
5568 a denial of service attack.
5572 <issue public="20131213">
5573 <cve name="2013-6450"/>
5574 <affects base="1.0.0" version="1.0.0"/>
5575 <affects base="1.0.0" version="1.0.0a"/>
5576 <affects base="1.0.0" version="1.0.0b"/>
5577 <affects base="1.0.0" version="1.0.0c"/>
5578 <affects base="1.0.0" version="1.0.0d"/>
5579 <affects base="1.0.0" version="1.0.0e"/>
5580 <affects base="1.0.0" version="1.0.0f"/>
5581 <affects base="1.0.0" version="1.0.0g"/>
5582 <affects base="1.0.0" version="1.0.0i"/>
5583 <affects base="1.0.0" version="1.0.0j"/>
5584 <affects base="1.0.0" version="1.0.0k"/>
5585 <affects base="1.0.1" version="1.0.1"/>
5586 <affects base="1.0.1" version="1.0.1a"/>
5587 <affects base="1.0.1" version="1.0.1b"/>
5588 <affects base="1.0.1" version="1.0.1c"/>
5589 <affects base="1.0.1" version="1.0.1d"/>
5590 <affects base="1.0.1" version="1.0.1e"/>
5591 <fixed base="1.0.1" version="1.0.1f" date="20140106">
5592 <git hash="3462896"/>
5594 <fixed base="1.0.0" version="1.0.0l" date="20140106"/>
5595 <reported source="Dmitry Sobinov"/>
5597 A flaw in DTLS handling can cause an application using OpenSSL and DTLS to crash.
5598 This is not a vulnerability for OpenSSL prior to 1.0.0.
5602 <issue public="20131214">
5603 <cve name="2013-6449"/>
5604 <affects base="1.0.1" version="1.0.1"/>
5605 <affects base="1.0.1" version="1.0.1a"/>
5606 <affects base="1.0.1" version="1.0.1b"/>
5607 <affects base="1.0.1" version="1.0.1c"/>
5608 <affects base="1.0.1" version="1.0.1d"/>
5609 <affects base="1.0.1" version="1.0.1e"/>
5610 <fixed base="1.0.1" version="1.0.1f" date="20140106">
5611 <git hash="ca98926"/>
5613 <reported source="Ron Barber"/>
5615 A flaw in OpenSSL can cause an application using OpenSSL to crash when using TLS version 1.2.
5616 This issue only affected OpenSSL 1.0.1 versions.
5620 <issue public="20140106">
5621 <cve name="2013-4353"/>
5622 <affects base="1.0.1" version="1.0.1"/>
5623 <affects base="1.0.1" version="1.0.1a"/>
5624 <affects base="1.0.1" version="1.0.1b"/>
5625 <affects base="1.0.1" version="1.0.1c"/>
5626 <affects base="1.0.1" version="1.0.1d"/>
5627 <affects base="1.0.1" version="1.0.1e"/>
5628 <fixed base="1.0.1" version="1.0.1f" date="20140106">
5629 <git hash="197e0ea817ad64820789d86711d55ff50d71f631"/>
5631 <reported source="Anton Johansson"/>
5633 A carefully crafted invalid TLS handshake could crash OpenSSL with a NULL pointer exception. A malicious
5634 server could use this flaw to crash a connecting client. This issue only affected OpenSSL 1.0.1 versions.
5638 <issue public="20140214">
5639 <cve name="2014-0076"/>
5640 <affects base="0.9.8" version="0.9.8"/>
5641 <affects base="0.9.8" version="0.9.8a"/>
5642 <affects base="0.9.8" version="0.9.8b"/>
5643 <affects base="0.9.8" version="0.9.8c"/>
5644 <affects base="0.9.8" version="0.9.8d"/>
5645 <affects base="0.9.8" version="0.9.8e"/>
5646 <affects base="0.9.8" version="0.9.8f"/>
5647 <affects base="0.9.8" version="0.9.8g"/>
5648 <affects base="0.9.8" version="0.9.8h"/>
5649 <affects base="0.9.8" version="0.9.8i"/>
5650 <affects base="0.9.8" version="0.9.8j"/>
5651 <affects base="0.9.8" version="0.9.8k"/>
5652 <affects base="0.9.8" version="0.9.8l"/>
5653 <affects base="0.9.8" version="0.9.8m"/>
5654 <affects base="0.9.8" version="0.9.8n"/>
5655 <affects base="0.9.8" version="0.9.8o"/>
5656 <affects base="0.9.8" version="0.9.8p"/>
5657 <affects base="0.9.8" version="0.9.8q"/>
5658 <affects base="0.9.8" version="0.9.8r"/>
5659 <affects base="0.9.8" version="0.9.8s"/>
5660 <affects base="0.9.8" version="0.9.8t"/>
5661 <affects base="0.9.8" version="0.9.8u"/>
5662 <affects base="0.9.8" version="0.9.8v"/>
5663 <affects base="0.9.8" version="0.9.8w"/>
5664 <affects base="0.9.8" version="0.9.8x"/>
5665 <affects base="0.9.8" version="0.9.8y"/>
5666 <affects base="1.0.0" version="1.0.0"/>
5667 <affects base="1.0.0" version="1.0.0a"/>
5668 <affects base="1.0.0" version="1.0.0b"/>
5669 <affects base="1.0.0" version="1.0.0c"/>
5670 <affects base="1.0.0" version="1.0.0d"/>
5671 <affects base="1.0.0" version="1.0.0e"/>
5672 <affects base="1.0.0" version="1.0.0f"/>
5673 <affects base="1.0.0" version="1.0.0g"/>
5674 <affects base="1.0.0" version="1.0.0i"/>
5675 <affects base="1.0.0" version="1.0.0j"/>
5676 <affects base="1.0.0" version="1.0.0k"/>
5677 <affects base="1.0.0" version="1.0.0l"/>
5678 <affects base="1.0.1" version="1.0.1"/>
5679 <affects base="1.0.1" version="1.0.1a"/>
5680 <affects base="1.0.1" version="1.0.1b"/>
5681 <affects base="1.0.1" version="1.0.1c"/>
5682 <affects base="1.0.1" version="1.0.1d"/>
5683 <affects base="1.0.1" version="1.0.1e"/>
5684 <affects base="1.0.1" version="1.0.1f"/>
5685 <fixed base="1.0.1" version="1.0.1g" date="20140409">
5686 <git hash="4b7a4ba29cafa432fc4266fe6e59e60bc1c96332"/>
5688 <fixed base="1.0.0" version="1.0.0m" date="20140312">
5689 <git hash="2198be3483259de374f91e57d247d0fc667aef29"/>
5691 <fixed base="0.9.8" version="0.9.8za" date="20140605">
5693 <reported source="Yuval Yarom and Naomi Benger"/>
5695 Fix for the attack described in the paper "Recovering OpenSSL
5696 ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
5700 <issue public="20140407">
5701 <cve name="2014-0160"/>
5702 <affects base="1.0.1" version="1.0.1"/>
5703 <affects base="1.0.1" version="1.0.1a"/>
5704 <affects base="1.0.1" version="1.0.1b"/>
5705 <affects base="1.0.1" version="1.0.1c"/>
5706 <affects base="1.0.1" version="1.0.1d"/>
5707 <affects base="1.0.1" version="1.0.1e"/>
5708 <affects base="1.0.1" version="1.0.1f"/>
5709 <fixed base="1.0.1" version="1.0.1g" date="20140409">
5711 <advisory url="/news/secadv/20140407.txt"/>
5712 <reported source="Neel Mehta"/>
5714 A missing bounds check in the handling of the TLS heartbeat extension can be
5715 used to reveal up to 64kB of memory to a connected client or server (a.k.a. Heartbleed). This
5716 issue did not affect versions of OpenSSL prior to 1.0.1.
5720 <issue public="20140605">
5721 <cve name="2014-0224"/>
5722 <affects base="0.9.8" version="0.9.8"/>
5723 <affects base="0.9.8" version="0.9.8a"/>
5724 <affects base="0.9.8" version="0.9.8b"/>
5725 <affects base="0.9.8" version="0.9.8c"/>
5726 <affects base="0.9.8" version="0.9.8d"/>
5727 <affects base="0.9.8" version="0.9.8e"/>
5728 <affects base="0.9.8" version="0.9.8f"/>
5729 <affects base="0.9.8" version="0.9.8g"/>
5730 <affects base="0.9.8" version="0.9.8h"/>
5731 <affects base="0.9.8" version="0.9.8i"/>
5732 <affects base="0.9.8" version="0.9.8j"/>
5733 <affects base="0.9.8" version="0.9.8k"/>
5734 <affects base="0.9.8" version="0.9.8l"/>
5735 <affects base="0.9.8" version="0.9.8m"/>
5736 <affects base="0.9.8" version="0.9.8n"/>
5737 <affects base="0.9.8" version="0.9.8o"/>
5738 <affects base="0.9.8" version="0.9.8p"/>
5739 <affects base="0.9.8" version="0.9.8q"/>
5740 <affects base="0.9.8" version="0.9.8r"/>
5741 <affects base="0.9.8" version="0.9.8s"/>
5742 <affects base="0.9.8" version="0.9.8t"/>
5743 <affects base="0.9.8" version="0.9.8u"/>
5744 <affects base="0.9.8" version="0.9.8v"/>
5745 <affects base="0.9.8" version="0.9.8w"/>
5746 <affects base="0.9.8" version="0.9.8x"/>
5747 <affects base="0.9.8" version="0.9.8y"/>
5748 <affects base="1.0.0" version="1.0.0"/>
5749 <affects base="1.0.0" version="1.0.0a"/>
5750 <affects base="1.0.0" version="1.0.0b"/>
5751 <affects base="1.0.0" version="1.0.0c"/>
5752 <affects base="1.0.0" version="1.0.0d"/>
5753 <affects base="1.0.0" version="1.0.0e"/>
5754 <affects base="1.0.0" version="1.0.0f"/>
5755 <affects base="1.0.0" version="1.0.0g"/>
5756 <affects base="1.0.0" version="1.0.0i"/>
5757 <affects base="1.0.0" version="1.0.0j"/>
5758 <affects base="1.0.0" version="1.0.0k"/>
5759 <affects base="1.0.0" version="1.0.0l"/>
5760 <affects base="1.0.1" version="1.0.1"/>
5761 <affects base="1.0.1" version="1.0.1a"/>
5762 <affects base="1.0.1" version="1.0.1b"/>
5763 <affects base="1.0.1" version="1.0.1c"/>
5764 <affects base="1.0.1" version="1.0.1d"/>
5765 <affects base="1.0.1" version="1.0.1e"/>
5766 <affects base="1.0.1" version="1.0.1f"/>
5767 <affects base="1.0.1" version="1.0.1g"/>
5768 <fixed base="1.0.1" version="1.0.1h" date="20140605">
5770 <fixed base="1.0.0" version="1.0.0m" date="20140605">
5772 <fixed base="0.9.8" version="0.9.8za" date="20140605">
5775 An attacker can force the use of weak
5776 keying material in OpenSSL SSL/TLS clients and servers. This can be exploited
5777 by a Man-in-the-middle (MITM) attack where the attacker can decrypt and
5778 modify traffic from the attacked client and server.
5780 <advisory url="/news/secadv/20140605.txt"/>
5781 <reported source="KIKUCHI Masashi (Lepidum Co. Ltd.)"/>
5784 <issue public="20140605">
5785 <cve name="2014-0221"/>
5786 <affects base="0.9.8" version="0.9.8"/>
5787 <affects base="0.9.8" version="0.9.8a"/>
5788 <affects base="0.9.8" version="0.9.8b"/>
5789 <affects base="0.9.8" version="0.9.8c"/>
5790 <affects base="0.9.8" version="0.9.8d"/>
5791 <affects base="0.9.8" version="0.9.8e"/>
5792 <affects base="0.9.8" version="0.9.8f"/>
5793 <affects base="0.9.8" version="0.9.8g"/>
5794 <affects base="0.9.8" version="0.9.8h"/>
5795 <affects base="0.9.8" version="0.9.8i"/>
5796 <affects base="0.9.8" version="0.9.8j"/>
5797 <affects base="0.9.8" version="0.9.8k"/>
5798 <affects base="0.9.8" version="0.9.8l"/>
5799 <affects base="0.9.8" version="0.9.8m"/>
5800 <affects base="0.9.8" version="0.9.8n"/>
5801 <affects base="0.9.8" version="0.9.8o"/>
5802 <affects base="0.9.8" version="0.9.8p"/>
5803 <affects base="0.9.8" version="0.9.8q"/>
5804 <affects base="0.9.8" version="0.9.8r"/>
5805 <affects base="0.9.8" version="0.9.8s"/>
5806 <affects base="0.9.8" version="0.9.8t"/>
5807 <affects base="0.9.8" version="0.9.8u"/>
5808 <affects base="0.9.8" version="0.9.8v"/>
5809 <affects base="0.9.8" version="0.9.8w"/>
5810 <affects base="0.9.8" version="0.9.8x"/>
5811 <affects base="0.9.8" version="0.9.8y"/>
5812 <affects base="1.0.0" version="1.0.0"/>
5813 <affects base="1.0.0" version="1.0.0a"/>
5814 <affects base="1.0.0" version="1.0.0b"/>
5815 <affects base="1.0.0" version="1.0.0c"/>
5816 <affects base="1.0.0" version="1.0.0d"/>
5817 <affects base="1.0.0" version="1.0.0e"/>
5818 <affects base="1.0.0" version="1.0.0f"/>
5819 <affects base="1.0.0" version="1.0.0g"/>
5820 <affects base="1.0.0" version="1.0.0i"/>
5821 <affects base="1.0.0" version="1.0.0j"/>
5822 <affects base="1.0.0" version="1.0.0k"/>
5823 <affects base="1.0.0" version="1.0.0l"/>
5824 <affects base="1.0.1" version="1.0.1"/>
5825 <affects base="1.0.1" version="1.0.1a"/>
5826 <affects base="1.0.1" version="1.0.1b"/>
5827 <affects base="1.0.1" version="1.0.1c"/>
5828 <affects base="1.0.1" version="1.0.1d"/>
5829 <affects base="1.0.1" version="1.0.1e"/>
5830 <affects base="1.0.1" version="1.0.1f"/>
5831 <affects base="1.0.1" version="1.0.1g"/>
5832 <fixed base="1.0.1" version="1.0.1h" date="20140605">
5834 <fixed base="1.0.0" version="1.0.0m" date="20140605">
5836 <fixed base="0.9.8" version="0.9.8za" date="20140605">
5838 <description>By sending an invalid DTLS handshake to an OpenSSL DTLS client the code can be made to recurse eventually crashing in a DoS attack. Only applications using OpenSSL as a DTLS client are affected.</description>
5839 <advisory url="/news/secadv/20140605.txt"/>
5840 <reported source="Imre Rad (Search-Lab Ltd.)"/>
5843 <issue public="20140605">
5844 <cve name="2014-0195"/>
5845 <affects base="0.9.8" version="0.9.8o"/>
5846 <affects base="0.9.8" version="0.9.8p"/>
5847 <affects base="0.9.8" version="0.9.8q"/>
5848 <affects base="0.9.8" version="0.9.8r"/>
5849 <affects base="0.9.8" version="0.9.8s"/>
5850 <affects base="0.9.8" version="0.9.8t"/>
5851 <affects base="0.9.8" version="0.9.8u"/>
5852 <affects base="0.9.8" version="0.9.8v"/>
5853 <affects base="0.9.8" version="0.9.8w"/>
5854 <affects base="0.9.8" version="0.9.8x"/>
5855 <affects base="0.9.8" version="0.9.8y"/>
5856 <affects base="1.0.0" version="1.0.0"/>
5857 <affects base="1.0.0" version="1.0.0a"/>
5858 <affects base="1.0.0" version="1.0.0b"/>
5859 <affects base="1.0.0" version="1.0.0c"/>
5860 <affects base="1.0.0" version="1.0.0d"/>
5861 <affects base="1.0.0" version="1.0.0e"/>
5862 <affects base="1.0.0" version="1.0.0f"/>
5863 <affects base="1.0.0" version="1.0.0g"/>
5864 <affects base="1.0.0" version="1.0.0i"/>
5865 <affects base="1.0.0" version="1.0.0j"/>
5866 <affects base="1.0.0" version="1.0.0k"/>
5867 <affects base="1.0.0" version="1.0.0l"/>
5868 <affects base="1.0.1" version="1.0.1"/>
5869 <affects base="1.0.1" version="1.0.1a"/>
5870 <affects base="1.0.1" version="1.0.1b"/>
5871 <affects base="1.0.1" version="1.0.1c"/>
5872 <affects base="1.0.1" version="1.0.1d"/>
5873 <affects base="1.0.1" version="1.0.1e"/>
5874 <affects base="1.0.1" version="1.0.1f"/>
5875 <affects base="1.0.1" version="1.0.1g"/>
5876 <fixed base="1.0.1" version="1.0.1h" date="20140605">
5878 <fixed base="1.0.0" version="1.0.0m" date="20140605">
5880 <fixed base="0.9.8" version="0.9.8za" date="20140605">
5882 <description>A buffer overrun attack can be triggered by sending invalid DTLS fragments
5883 to an OpenSSL DTLS client or server. This is potentially exploitable to
5884 run arbitrary code on a vulnerable client or server. Only applications using OpenSSL as a DTLS client or server affected.
5886 <advisory url="/news/secadv/20140605.txt"/>
5887 <reported source="Jüri Aedla"/>
5890 <issue public="20140421">
5891 <cve name="2014-0198"/>
5892 <affects base="1.0.0" version="1.0.0"/>
5893 <affects base="1.0.0" version="1.0.0a"/>
5894 <affects base="1.0.0" version="1.0.0b"/>
5895 <affects base="1.0.0" version="1.0.0c"/>
5896 <affects base="1.0.0" version="1.0.0d"/>
5897 <affects base="1.0.0" version="1.0.0e"/>
5898 <affects base="1.0.0" version="1.0.0f"/>
5899 <affects base="1.0.0" version="1.0.0g"/>
5900 <affects base="1.0.0" version="1.0.0i"/>
5901 <affects base="1.0.0" version="1.0.0j"/>
5902 <affects base="1.0.0" version="1.0.0k"/>
5903 <affects base="1.0.0" version="1.0.0l"/>
5904 <affects base="1.0.1" version="1.0.1"/>
5905 <affects base="1.0.1" version="1.0.1a"/>
5906 <affects base="1.0.1" version="1.0.1b"/>
5907 <affects base="1.0.1" version="1.0.1c"/>
5908 <affects base="1.0.1" version="1.0.1d"/>
5909 <affects base="1.0.1" version="1.0.1e"/>
5910 <affects base="1.0.1" version="1.0.1f"/>
5911 <affects base="1.0.1" version="1.0.1g"/>
5912 <fixed base="1.0.1" version="1.0.1h" date="20140605">
5914 <fixed base="1.0.0" version="1.0.0m" date="20140605">
5916 <description>A flaw in the do_ssl3_write function can allow remote attackers to
5917 cause a denial of service via a NULL pointer dereference. This flaw
5918 only affects OpenSSL 1.0.0 and 1.0.1 where SSL_MODE_RELEASE_BUFFERS is
5919 enabled, which is not the default and not common.</description>
5920 <advisory url="/news/secadv/20140605.txt"/>
5923 <issue public="20140408">
5924 <cve name="2010-5298"/>
5925 <affects base="1.0.0" version="1.0.0"/>
5926 <affects base="1.0.0" version="1.0.0a"/>
5927 <affects base="1.0.0" version="1.0.0b"/>
5928 <affects base="1.0.0" version="1.0.0c"/>
5929 <affects base="1.0.0" version="1.0.0d"/>
5930 <affects base="1.0.0" version="1.0.0e"/>
5931 <affects base="1.0.0" version="1.0.0f"/>
5932 <affects base="1.0.0" version="1.0.0g"/>
5933 <affects base="1.0.0" version="1.0.0i"/>
5934 <affects base="1.0.0" version="1.0.0j"/>
5935 <affects base="1.0.0" version="1.0.0k"/>
5936 <affects base="1.0.0" version="1.0.0l"/>
5937 <affects base="1.0.1" version="1.0.1"/>
5938 <affects base="1.0.1" version="1.0.1a"/>
5939 <affects base="1.0.1" version="1.0.1b"/>
5940 <affects base="1.0.1" version="1.0.1c"/>
5941 <affects base="1.0.1" version="1.0.1d"/>
5942 <affects base="1.0.1" version="1.0.1e"/>
5943 <affects base="1.0.1" version="1.0.1f"/>
5944 <affects base="1.0.1" version="1.0.1g"/>
5945 <fixed base="1.0.1" version="1.0.1h" date="20140605">
5947 <fixed base="1.0.0" version="1.0.0m" date="20140605">
5949 <description>A race condition in the ssl3_read_bytes function can allow remote
5950 attackers to inject data across sessions or cause a denial of service.
5951 This flaw only affects multithreaded applications using OpenSSL 1.0.0
5952 and 1.0.1, where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the
5953 default and not common.</description>
5954 <advisory url="/news/secadv/20140605.txt"/>
5957 <issue public="20140530">
5958 <cve name="2014-3470"/>
5959 <affects base="0.9.8" version="0.9.8"/>
5960 <affects base="0.9.8" version="0.9.8a"/>
5961 <affects base="0.9.8" version="0.9.8b"/>
5962 <affects base="0.9.8" version="0.9.8c"/>
5963 <affects base="0.9.8" version="0.9.8d"/>
5964 <affects base="0.9.8" version="0.9.8e"/>
5965 <affects base="0.9.8" version="0.9.8f"/>
5966 <affects base="0.9.8" version="0.9.8g"/>
5967 <affects base="0.9.8" version="0.9.8h"/>
5968 <affects base="0.9.8" version="0.9.8i"/>
5969 <affects base="0.9.8" version="0.9.8j"/>
5970 <affects base="0.9.8" version="0.9.8k"/>
5971 <affects base="0.9.8" version="0.9.8l"/>
5972 <affects base="0.9.8" version="0.9.8m"/>
5973 <affects base="0.9.8" version="0.9.8n"/>
5974 <affects base="0.9.8" version="0.9.8o"/>
5975 <affects base="0.9.8" version="0.9.8p"/>
5976 <affects base="0.9.8" version="0.9.8q"/>
5977 <affects base="0.9.8" version="0.9.8r"/>
5978 <affects base="0.9.8" version="0.9.8s"/>
5979 <affects base="0.9.8" version="0.9.8t"/>
5980 <affects base="0.9.8" version="0.9.8u"/>
5981 <affects base="0.9.8" version="0.9.8v"/>
5982 <affects base="0.9.8" version="0.9.8w"/>
5983 <affects base="0.9.8" version="0.9.8x"/>
5984 <affects base="0.9.8" version="0.9.8y"/>
5985 <affects base="1.0.0" version="1.0.0"/>
5986 <affects base="1.0.0" version="1.0.0a"/>
5987 <affects base="1.0.0" version="1.0.0b"/>
5988 <affects base="1.0.0" version="1.0.0c"/>
5989 <affects base="1.0.0" version="1.0.0d"/>
5990 <affects base="1.0.0" version="1.0.0e"/>
5991 <affects base="1.0.0" version="1.0.0f"/>
5992 <affects base="1.0.0" version="1.0.0g"/>
5993 <affects base="1.0.0" version="1.0.0i"/>
5994 <affects base="1.0.0" version="1.0.0j"/>
5995 <affects base="1.0.0" version="1.0.0k"/>
5996 <affects base="1.0.0" version="1.0.0l"/>
5997 <affects base="1.0.1" version="1.0.1"/>
5998 <affects base="1.0.1" version="1.0.1a"/>
5999 <affects base="1.0.1" version="1.0.1b"/>
6000 <affects base="1.0.1" version="1.0.1c"/>
6001 <affects base="1.0.1" version="1.0.1d"/>
6002 <affects base="1.0.1" version="1.0.1e"/>
6003 <affects base="1.0.1" version="1.0.1f"/>
6004 <affects base="1.0.1" version="1.0.1g"/>
6005 <fixed base="1.0.1" version="1.0.1h" date="20140605">
6007 <fixed base="1.0.0" version="1.0.0m" date="20140605">
6009 <fixed base="0.9.8" version="0.9.8za" date="20140605">
6011 <description>OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a
6012 denial of service attack.</description>
6013 <reported source="Felix Gröbert and Ivan Fratrić (Google)"/>
6014 <advisory url="/news/secadv/20140605.txt"/>