+<!-- The updated attribute should be the same as the first public issue,
+ unless an old entry was updated. -->
+<security updated="20171102">
+ <issue public="20171207">
+ <impact severity="Moderate"/>
+ <cve name="2017-3737"/>
+ <affects base="1.0.2" version="1.0.2b"/>
+ <affects base="1.0.2" version="1.0.2c"/>
+ <affects base="1.0.2" version="1.0.2d"/>
+ <affects base="1.0.2" version="1.0.2e"/>
+ <affects base="1.0.2" version="1.0.2f"/>
+ <affects base="1.0.2" version="1.0.2g"/>
+ <affects base="1.0.2" version="1.0.2h"/>
+ <affects base="1.0.2" version="1.0.2i"/>
+ <affects base="1.0.2" version="1.0.2j"/>
+ <affects base="1.0.2" version="1.0.2k"/>
+ <affects base="1.0.2" version="1.0.2l"/>
+ <affects base="1.0.2" version="1.0.2m"/>
+ <fixed base="1.0.2" version="1.0.2n" date="20171207"/>
+ <problemtype>Unauthenticated read/unencrypted write</problemtype>
+ <title>Read/write after SSL object in error state</title>
+ <description>
+ OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state"
+ mechanism. The intent was that if a fatal error occurred during a handshake then
+ OpenSSL would move into the error state and would immediately fail if you
+ attempted to continue the handshake. This works as designed for the explicit
+ handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()),
+ however due to a bug it does not work correctly if SSL_read() or SSL_write() is
+ called directly. In that scenario, if the handshake fails then a fatal error
+ will be returned in the initial function call. If SSL_read()/SSL_write() is
+ subsequently called by the application for the same SSL object then it will
+ succeed and the data is passed without being decrypted/encrypted directly from
+ the SSL/TLS record layer.
+
+ In order to exploit this issue an application bug would have to be present that
+ resulted in a call to SSL_read()/SSL_write() being issued after having already
+ received a fatal error.
+ </description>
+ <advisory url="/news/secadv/20171207.txt"/>
+ <reported source="David Benjamin (Google)"/>
+ </issue>
+ <issue public="20171207">
+ <impact severity="Low"/>
+ <cve name="2017-3738"/>
+ <affects base="1.1.0" version="1.1.0"/>
+ <affects base="1.1.0" version="1.1.0a"/>
+ <affects base="1.1.0" version="1.1.0b"/>
+ <affects base="1.1.0" version="1.1.0c"/>
+ <affects base="1.1.0" version="1.1.0d"/>
+ <affects base="1.1.0" version="1.1.0e"/>
+ <affects base="1.1.0" version="1.1.0f"/>
+ <affects base="1.1.0" version="1.1.0g"/>
+ <affects base="1.0.2" version="1.0.2"/>
+ <affects base="1.0.2" version="1.0.2a"/>
+ <affects base="1.0.2" version="1.0.2b"/>
+ <affects base="1.0.2" version="1.0.2c"/>
+ <affects base="1.0.2" version="1.0.2d"/>
+ <affects base="1.0.2" version="1.0.2e"/>
+ <affects base="1.0.2" version="1.0.2f"/>
+ <affects base="1.0.2" version="1.0.2g"/>
+ <affects base="1.0.2" version="1.0.2h"/>
+ <affects base="1.0.2" version="1.0.2i"/>
+ <affects base="1.0.2" version="1.0.2j"/>
+ <affects base="1.0.2" version="1.0.2k"/>
+ <affects base="1.0.2" version="1.0.2l"/>
+ <affects base="1.0.2" version="1.0.2m"/>
+ <fixed base="1.0.2" version="1.0.2n" date="20171207"/>
+ <fixed base="1.1.0" version="1.1.0h-dev" date="20171207"/>
+ <problemtype>carry-propagating bug</problemtype>
+ <title>bn_sqrx8x_internal carry bug on x86_64</title>
+ <description>
+ There is an overflow bug in the AVX2 Montgomery multiplication procedure
+ used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
+ Analysis suggests that attacks against RSA and DSA as a result of this defect
+ would be very difficult to perform and are not believed likely. Attacks
+ against DH1024 are considered just feasible, because most of the work
+ necessary to deduce information about a private key may be performed offline.
+ The amount of resources required for such an attack would be significant.
+ However, for an attack on TLS to be meaningful, the server would have to share
+ the DH1024 private key among multiple clients, which is no longer an option
+ since CVE-2016-0701.
+
+ This only affects processors that support the AVX2 but not ADX extensions
+ like Intel Haswell (4th generation).
+
+ Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732
+ and CVE-2015-3193.
+
+ Due to the low severity of this issue we are not issuing a new release of
+ OpenSSL 1.1.0 at this time. The fix will be included in OpenSSL 1.1.0h when it
+ becomes available. The fix is also available in commit e502cc86d in the OpenSSL
+ git repository.
+ </description>
+ <advisory url="/news/secadv/20171207.txt"/>
+ <reported source="David Benjamin (Google)/Google OSS-Fuzz"/>
+ </issue>
+ <issue public="20171102">
+ <impact severity="Moderate"/>
+ <cve name="2017-3736"/>
+ <affects base="1.1.0" version="1.1.0"/>
+ <affects base="1.1.0" version="1.1.0a"/>
+ <affects base="1.1.0" version="1.1.0b"/>
+ <affects base="1.1.0" version="1.1.0c"/>
+ <affects base="1.1.0" version="1.1.0d"/>
+ <affects base="1.1.0" version="1.1.0e"/>
+ <affects base="1.1.0" version="1.1.0f"/>
+ <affects base="1.0.2" version="1.0.2"/>
+ <affects base="1.0.2" version="1.0.2a"/>
+ <affects base="1.0.2" version="1.0.2b"/>
+ <affects base="1.0.2" version="1.0.2c"/>
+ <affects base="1.0.2" version="1.0.2d"/>
+ <affects base="1.0.2" version="1.0.2e"/>
+ <affects base="1.0.2" version="1.0.2f"/>
+ <affects base="1.0.2" version="1.0.2g"/>
+ <affects base="1.0.2" version="1.0.2h"/>
+ <affects base="1.0.2" version="1.0.2i"/>
+ <affects base="1.0.2" version="1.0.2j"/>
+ <affects base="1.0.2" version="1.0.2k"/>
+ <affects base="1.0.2" version="1.0.2l"/>
+ <fixed base="1.0.2" version="1.0.2m" date="20171102"/>
+ <fixed base="1.1.0" version="1.1.0g" date="20171102"/>
+ <problemtype>carry-propagating bug</problemtype>
+ <title>bn_sqrx8x_internal carry bug on x86_64</title>
+ <description>
+ There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No
+ EC algorithms are affected. Analysis suggests that attacks against RSA and DSA
+ as a result of this defect would be very difficult to perform and are not
+ believed likely. Attacks against DH are considered just feasible (although very
+ difficult) because most of the work necessary to deduce information
+ about a private key may be performed offline. The amount of resources
+ required for such an attack would be very significant and likely only
+ accessible to a limited number of attackers. An attacker would
+ additionally need online access to an unpatched system using the target
+ private key in a scenario with persistent DH parameters and a private
+ key that is shared between multiple clients.
+
+ This only affects processors that support the BMI1, BMI2 and ADX extensions like
+ Intel Broadwell (5th generation) and later or AMD Ryzen.
+ </description>
+ <advisory url="/news/secadv/20171102.txt"/>
+ <reported source="Google OSS-Fuzz"/>
+ </issue>
+ <issue public="20170828">
+ <impact severity="Low"/>
+ <cve name="2017-3735"/>
+ <affects base="1.1.0" version="1.1.0"/>
+ <affects base="1.1.0" version="1.1.0a"/>
+ <affects base="1.1.0" version="1.1.0b"/>
+ <affects base="1.1.0" version="1.1.0c"/>
+ <affects base="1.1.0" version="1.1.0d"/>
+ <affects base="1.1.0" version="1.1.0e"/>
+ <affects base="1.1.0" version="1.1.0f"/>
+ <affects base="1.0.2" version="1.0.2"/>
+ <affects base="1.0.2" version="1.0.2a"/>
+ <affects base="1.0.2" version="1.0.2b"/>
+ <affects base="1.0.2" version="1.0.2c"/>
+ <affects base="1.0.2" version="1.0.2d"/>
+ <affects base="1.0.2" version="1.0.2e"/>
+ <affects base="1.0.2" version="1.0.2f"/>
+ <affects base="1.0.2" version="1.0.2g"/>
+ <affects base="1.0.2" version="1.0.2h"/>
+ <affects base="1.0.2" version="1.0.2i"/>
+ <affects base="1.0.2" version="1.0.2j"/>
+ <affects base="1.0.2" version="1.0.2k"/>
+ <affects base="1.0.2" version="1.0.2l"/>
+ <fixed base="1.0.2" version="1.0.2m" date="20171102"/>
+ <fixed base="1.1.0" version="1.1.0g" date="20171102"/>
+ <problemtype>out-of-bounds read</problemtype>
+ <title>Possible Overread in parsing X.509 IPAdressFamily</title>
+ <description>
+ While parsing an IPAdressFamily extension in an X.509 certificate,
+ it is possible to do a one-byte overread. This would result in
+ an incorrect text display of the certificate.
+ </description>
+ <advisory url="/news/secadv/20170828.txt"/>
+ <reported source="Google OSS-Fuzz"/>
+ </issue>