Add EOL notes to the vulnerability pages so it's clear they are

[openssl-web.git] / news / vulnerabilities.xml

<!-- All security issues affecting OpenSSL since the release of:
     0.9.6 on 20000924
     0.9.7 on 20021231
     0.9.8 on 20050705
     1.0.0 on 20100329
-->

<!-- The updated attribute should be the same as the first public issue,
     unless an old entry was updated. -->
<security updated="20171102">
  <issue public="20171207">
    <impact severity="Moderate"/>
    <cve name="2017-3737"/>
    <affects base="1.0.2" version="1.0.2b"/>
    <affects base="1.0.2" version="1.0.2c"/>
    <affects base="1.0.2" version="1.0.2d"/>
    <affects base="1.0.2" version="1.0.2e"/>
    <affects base="1.0.2" version="1.0.2f"/>
    <affects base="1.0.2" version="1.0.2g"/>
    <affects base="1.0.2" version="1.0.2h"/>
    <affects base="1.0.2" version="1.0.2i"/>
    <affects base="1.0.2" version="1.0.2j"/>
    <affects base="1.0.2" version="1.0.2k"/>
    <affects base="1.0.2" version="1.0.2l"/>
    <affects base="1.0.2" version="1.0.2m"/>
    <fixed base="1.0.2" version="1.0.2n" date="20171207"/>
    <problemtype>Unauthenticated read/unencrypted write</problemtype>
    <title>Read/write after SSL object in error state</title>
    <description>
      OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state"
      mechanism. The intent was that if a fatal error occurred during a handshake then
      OpenSSL would move into the error state and would immediately fail if you
      attempted to continue the handshake. This works as designed for the explicit
      handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()),
      however due to a bug it does not work correctly if SSL_read() or SSL_write() is
      called directly. In that scenario, if the handshake fails then a fatal error
      will be returned in the initial function call. If SSL_read()/SSL_write() is
      subsequently called by the application for the same SSL object then it will
      succeed and the data is passed without being decrypted/encrypted directly from
      the SSL/TLS record layer.

      In order to exploit this issue an application bug would have to be present that
      resulted in a call to SSL_read()/SSL_write() being issued after having already
      received a fatal error.
    </description>
    <advisory url="/news/secadv/20171207.txt"/>
    <reported source="David Benjamin (Google)"/>
  </issue>
  <issue public="20171207">
    <impact severity="Low"/>
    <cve name="2017-3738"/>
    <affects base="1.1.0" version="1.1.0"/>
    <affects base="1.1.0" version="1.1.0a"/>
    <affects base="1.1.0" version="1.1.0b"/>
    <affects base="1.1.0" version="1.1.0c"/>
    <affects base="1.1.0" version="1.1.0d"/>
    <affects base="1.1.0" version="1.1.0e"/>
    <affects base="1.1.0" version="1.1.0f"/>
    <affects base="1.1.0" version="1.1.0g"/>
    <affects base="1.0.2" version="1.0.2"/>
    <affects base="1.0.2" version="1.0.2a"/>
    <affects base="1.0.2" version="1.0.2b"/>
    <affects base="1.0.2" version="1.0.2c"/>
    <affects base="1.0.2" version="1.0.2d"/>
    <affects base="1.0.2" version="1.0.2e"/>
    <affects base="1.0.2" version="1.0.2f"/>
    <affects base="1.0.2" version="1.0.2g"/>
    <affects base="1.0.2" version="1.0.2h"/>
    <affects base="1.0.2" version="1.0.2i"/>
    <affects base="1.0.2" version="1.0.2j"/>
    <affects base="1.0.2" version="1.0.2k"/>
    <affects base="1.0.2" version="1.0.2l"/>
    <affects base="1.0.2" version="1.0.2m"/>
    <fixed base="1.0.2" version="1.0.2n" date="20171207"/>
    <fixed base="1.1.0" version="1.1.0h-dev" date="20171207"/>
    <problemtype>carry-propagating bug</problemtype>
    <title>bn_sqrx8x_internal carry bug on x86_64</title>
    <description>
      There is an overflow bug in the AVX2 Montgomery multiplication procedure
      used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
      Analysis suggests that attacks against RSA and DSA as a result of this defect
      would be very difficult to perform and are not believed likely. Attacks
      against DH1024 are considered just feasible, because most of the work
      necessary to deduce information about a private key may be performed offline.
      The amount of resources required for such an attack would be significant.
      However, for an attack on TLS to be meaningful, the server would have to share
      the DH1024 private key among multiple clients, which is no longer an option
      since CVE-2016-0701.

      This only affects processors that support the AVX2 but not ADX extensions
      like Intel Haswell (4th generation).

      Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732
      and CVE-2015-3193.

      Due to the low severity of this issue we are not issuing a new release of
      OpenSSL 1.1.0 at this time. The fix will be included in OpenSSL 1.1.0h when it
      becomes available. The fix is also available in commit e502cc86d in the OpenSSL
      git repository.
    </description>
    <advisory url="/news/secadv/20171207.txt"/>
    <reported source="David Benjamin (Google)/Google OSS-Fuzz"/>
  </issue>
  <issue public="20171102">
    <impact severity="Moderate"/>
    <cve name="2017-3736"/>
    <affects base="1.1.0" version="1.1.0"/>
    <affects base="1.1.0" version="1.1.0a"/>
    <affects base="1.1.0" version="1.1.0b"/>
    <affects base="1.1.0" version="1.1.0c"/>
    <affects base="1.1.0" version="1.1.0d"/>
    <affects base="1.1.0" version="1.1.0e"/>
    <affects base="1.1.0" version="1.1.0f"/>
    <affects base="1.0.2" version="1.0.2"/>
    <affects base="1.0.2" version="1.0.2a"/>
    <affects base="1.0.2" version="1.0.2b"/>
    <affects base="1.0.2" version="1.0.2c"/>
    <affects base="1.0.2" version="1.0.2d"/>
    <affects base="1.0.2" version="1.0.2e"/>
    <affects base="1.0.2" version="1.0.2f"/>
    <affects base="1.0.2" version="1.0.2g"/>
    <affects base="1.0.2" version="1.0.2h"/>
    <affects base="1.0.2" version="1.0.2i"/>
    <affects base="1.0.2" version="1.0.2j"/>
    <affects base="1.0.2" version="1.0.2k"/>
    <affects base="1.0.2" version="1.0.2l"/>
    <fixed base="1.0.2" version="1.0.2m" date="20171102"/>
    <fixed base="1.1.0" version="1.1.0g" date="20171102"/>
    <problemtype>carry-propagating bug</problemtype>
    <title>bn_sqrx8x_internal carry bug on x86_64</title>
    <description>
      There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No
      EC algorithms are affected. Analysis suggests that attacks against RSA and DSA
      as a result of this defect would be very difficult to perform and are not
      believed likely. Attacks against DH are considered just feasible (although very
      difficult) because most of the work necessary to deduce information
      about a private key may be performed offline. The amount of resources
      required for such an attack would be very significant and likely only
      accessible to a limited number of attackers. An attacker would
      additionally need online access to an unpatched system using the target
      private key in a scenario with persistent DH parameters and a private
      key that is shared between multiple clients.

      This only affects processors that support the BMI1, BMI2 and ADX extensions like
      Intel Broadwell (5th generation) and later or AMD Ryzen.
    </description>
    <advisory url="/news/secadv/20171102.txt"/>
    <reported source="Google OSS-Fuzz"/>
  </issue>
  <issue public="20170828">
    <impact severity="Low"/>
    <cve name="2017-3735"/>
    <affects base="1.1.0" version="1.1.0"/>
    <affects base="1.1.0" version="1.1.0a"/>
    <affects base="1.1.0" version="1.1.0b"/>
    <affects base="1.1.0" version="1.1.0c"/>
    <affects base="1.1.0" version="1.1.0d"/>
    <affects base="1.1.0" version="1.1.0e"/>
    <affects base="1.1.0" version="1.1.0f"/>
    <affects base="1.0.2" version="1.0.2"/>
    <affects base="1.0.2" version="1.0.2a"/>
    <affects base="1.0.2" version="1.0.2b"/>
    <affects base="1.0.2" version="1.0.2c"/>
    <affects base="1.0.2" version="1.0.2d"/>
    <affects base="1.0.2" version="1.0.2e"/>
    <affects base="1.0.2" version="1.0.2f"/>
    <affects base="1.0.2" version="1.0.2g"/>
    <affects base="1.0.2" version="1.0.2h"/>
    <affects base="1.0.2" version="1.0.2i"/>
    <affects base="1.0.2" version="1.0.2j"/>
    <affects base="1.0.2" version="1.0.2k"/>
    <affects base="1.0.2" version="1.0.2l"/>
    <fixed base="1.0.2" version="1.0.2m" date="20171102"/>
    <fixed base="1.1.0" version="1.1.0g" date="20171102"/>
    <problemtype>out-of-bounds read</problemtype>
    <title>Possible Overread in parsing X.509 IPAdressFamily</title>
    <description>
      While parsing an IPAdressFamily extension in an X.509 certificate,
      it is possible to do a one-byte overread. This would result in
      an incorrect text display of the certificate.
    </description>
    <advisory url="/news/secadv/20170828.txt"/>
    <reported source="Google OSS-Fuzz"/>
  </issue>
  <issue public="20170216">
    <impact severity="High"/>
    <cve name="2017-3733"/>
    <affects base="1.1.0" version="1.1.0"/>
    <affects base="1.1.0" version="1.1.0a"/>
    <affects base="1.1.0" version="1.1.0b"/>
    <affects base="1.1.0" version="1.1.0c"/>
    <affects base="1.1.0" version="1.1.0d"/>
    <fixed base="1.1.0" version="1.1.0e" date="20170216"/>
    <problemtype>protocol error</problemtype>
    <title>Encrypt-Then-Mac renegotiation crash</title>
    <description>
      During a renegotiation handshake if the Encrypt-Then-Mac extension is
      negotiated where it was not in the original handshake (or vice-versa) then
      this can cause OpenSSL to crash (dependent on ciphersuite). Both clients
      and servers are affected.
    </description>
    <advisory url="/news/secadv/20170216.txt"/>
    <reported source="Joe Orton (Red Hat)" />
  </issue>
  <issue public="20170126">
    <impact severity="Moderate"/>
    <cve name="2017-3731"/>
    <affects base="1.1.0" version="1.1.0"/>
    <affects base="1.1.0" version="1.1.0a"/>
    <affects base="1.1.0" version="1.1.0b"/>
    <affects base="1.1.0" version="1.1.0c"/>
    <affects base="1.0.2" version="1.0.2"/>
    <affects base="1.0.2" version="1.0.2a"/>
    <affects base="1.0.2" version="1.0.2b"/>
    <affects base="1.0.2" version="1.0.2c"/>
    <affects base="1.0.2" version="1.0.2d"/>
    <affects base="1.0.2" version="1.0.2e"/>
    <affects base="1.0.2" version="1.0.2f"/>
    <affects base="1.0.2" version="1.0.2g"/>
    <affects base="1.0.2" version="1.0.2h"/>
    <affects base="1.0.2" version="1.0.2i"/>
    <affects base="1.0.2" version="1.0.2j"/>
    <fixed base="1.1.0" version="1.1.0d" date="20170126"/>
    <fixed base="1.0.2" version="1.0.2k" date="20170126"/>
    <problemtype>out-of-bounds read</problemtype>
    <title>Truncated packet could crash via OOB read</title>
    <description>
      If an SSL/TLS server or client is running on a 32-bit host, and a specific
      cipher is being used, then a truncated packet can cause that server or
      client to perform an out-of-bounds read, usually resulting in a crash.

      For OpenSSL 1.1.0, the crash can be triggered when using
      CHACHA20/POLY1305; users should upgrade to 1.1.0d.

      For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users
      who have not disabled that algorithm should update to 1.0.2k
    </description>
    <advisory url="/news/secadv/20170126.txt"/>
    <reported source="Robert Święcki of Google" />
  </issue>
  <issue public="20170126">
    <impact severity="Moderate"/>
    <cve name="2017-3730"/>
    <affects base="1.1.0" version="1.1.0"/>
    <affects base="1.1.0" version="1.1.0a"/>
    <affects base="1.1.0" version="1.1.0b"/>
    <affects base="1.1.0" version="1.1.0c"/>
    <fixed base="1.1.0" version="1.1.0d" date="20170126"/>
    <problemtype>NULL pointer deference</problemtype>
    <title>Bad (EC)DHE parameters cause a client crash</title>
    <description>
      If a malicious server supplies bad parameters for a DHE or ECDHE key
      exchange then this can result in the client attempting to dereference a
      NULL pointer leading to a client crash. This could be exploited in a
      Denial of Service attack.
    </description>
    <advisory url="/news/secadv/20170126.txt"/>
    <reported source="Guido Vranken" />
  </issue>
  <issue public="20170126">
    <impact severity="Moderate"/>
    <cve name="2017-3732"/>
    <affects base="1.1.0" version="1.1.0"/>
    <affects base="1.1.0" version="1.1.0a"/>
    <affects base="1.1.0" version="1.1.0b"/>
    <affects base="1.1.0" version="1.1.0c"/>
    <affects base="1.0.2" version="1.0.2"/>
    <affects base="1.0.2" version="1.0.2a"/>
    <affects base="1.0.2" version="1.0.2b"/>
    <affects base="1.0.2" version="1.0.2c"/>
    <affects base="1.0.2" version="1.0.2d"/>
    <affects base="1.0.2" version="1.0.2e"/>
    <affects base="1.0.2" version="1.0.2f"/>
    <affects base="1.0.2" version="1.0.2g"/>
    <affects base="1.0.2" version="1.0.2h"/>
    <affects base="1.0.2" version="1.0.2i"/>
    <affects base="1.0.2" version="1.0.2j"/>
    <fixed base="1.1.0" version="1.1.0d" date="20170126"/>
    <fixed base="1.0.2" version="1.0.2k" date="20170126"/>
    <problemtype>carry-propagating bug</problemtype>
    <title>BN_mod_exp may produce incorrect results on x86_64</title>
    <description>
      There is a carry propagating bug in the x86_64 Montgomery squaring
      procedure. No EC algorithms are affected. Analysis suggests that attacks
      against RSA and DSA as a result of this defect would be very difficult to
      perform and are not believed likely. Attacks against DH are considered
      just feasible (although very difficult) because most of the work necessary
      to deduce information about a private key may be performed offline. The
      amount of resources required for such an attack would be very significant
      and likely only accessible to a limited number of attackers. An attacker
      would additionally need online access to an unpatched system using the
      target private key in a scenario with persistent DH parameters and a
      private key that is shared between multiple clients. For example this can
      occur by default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This
      issue is very similar to CVE-2015-3193 but must be treated as a separate
      problem.
    </description>
    <advisory url="/news/secadv/20170126.txt"/>
    <reported source="OSS-Fuzz project" />
  </issue>
  <issue public="20161110">
    <impact severity="High"/>
    <cve name="2016-7054"/>
    <affects base="1.1.0" version="1.1.0"/>
    <affects base="1.1.0" version="1.1.0a"/>
    <affects base="1.1.0" version="1.1.0b"/>
    <fixed base="1.1.0" version="1.1.0c" date="20161110"/>
    <problemtype>protocol error</problemtype>
    <title>ChaCha20/Poly1305 heap-buffer-overflow</title>
    <description>
      TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to
      a DoS attack by corrupting larger payloads. This can result in an OpenSSL
      crash. This issue is not considered to be exploitable beyond a DoS.
    </description>
    <advisory url="/news/secadv/20161110.txt"/>
    <reported source="Robert Święcki (Google Security Team)" date="20160925"/>
  </issue>
  <issue public="20161110">
    <impact severity="Moderate"/>
    <cve name="2016-7053"/>
    <affects base="1.1.0" version="1.1.0"/>
    <affects base="1.1.0" version="1.1.0a"/>
    <affects base="1.1.0" version="1.1.0b"/>
    <fixed base="1.1.0" version="1.1.0c" date="20161110"/>
    <problemtype>NULL pointer deference</problemtype>
    <title>CMS Null dereference</title>
    <description>
      Applications parsing invalid CMS structures can crash with a NULL pointer
      dereference. This is caused by a bug in the handling of the ASN.1 CHOICE
      type in OpenSSL 1.1.0 which can result in a NULL value being passed to the
      structure callback if an attempt is made to free certain invalid
      encodings. Only CHOICE structures using a callback which do not handle
      NULL value are affected.
    </description>
    <advisory url="/news/secadv/20161110.txt"/>
    <reported source="Tyler Nighswander (ForAllSecure)" date="20161012"/>
  </issue>
  <issue public="20161110">
    <impact severity="Low"/>
    <cve name="2016-7055"/>
    <affects base="1.1.0" version="1.1.0"/>
    <affects base="1.1.0" version="1.1.0a"/>
    <affects base="1.1.0" version="1.1.0b"/>
    <affects base="1.0.2" version="1.0.2"/>
    <affects base="1.0.2" version="1.0.2a"/>
    <affects base="1.0.2" version="1.0.2b"/>
    <affects base="1.0.2" version="1.0.2c"/>
    <affects base="1.0.2" version="1.0.2d"/>
    <affects base="1.0.2" version="1.0.2e"/>
    <affects base="1.0.2" version="1.0.2f"/>
    <affects base="1.0.2" version="1.0.2g"/>
    <affects base="1.0.2" version="1.0.2h"/>
    <affects base="1.0.2" version="1.0.2i"/>
    <affects base="1.0.2" version="1.0.2j"/>
    <fixed base="1.1.0" version="1.1.0c" date="20161110"/>
    <fixed base="1.0.2" version="1.0.2k" date="20170126"/>
    <problemtype>carry propagating bug</problemtype>
    <title>Montgomery multiplication may produce incorrect results</title>
    <description>
      There is a carry propagating bug in the Broadwell-specific Montgomery
      multiplication procedure that handles input lengths divisible by, but
      longer than 256 bits. Analysis suggests that attacks against RSA, DSA
      and DH private keys are impossible. This is because the subroutine in
      question is not used in operations with the private key itself and an
      input of the attacker's direct choice. Otherwise the bug can manifest
      itself as transient authentication and key negotiation failures or
      reproducible erroneous outcome of public-key operations with specially
      crafted input. Among EC algorithms only Brainpool P-512 curves are
      affected and one presumably can attack ECDH key negotiation. Impact was
      not analyzed in detail, because pre-requisites for attack are considered
      unlikely. Namely multiple clients have to choose the curve in question and
      the server has to share the private key among them, neither of which is
      default behaviour. Even then only clients that chose the curve will be
      affected.
    </description>
    <advisory url="/news/secadv/20161110.txt"/>
    <reported source="Publicly reported" />
  </issue>
  <issue public="20160926">
    <impact severity="Critical"/>
    <cve name="2016-6309"/>
    <affects base="1.1.0" version="1.1.0a"/>
    <fixed base="1.1.0" version="1.1.0b" date="20160926"/>

    <problemtype>write to free</problemtype>                    
    <description>
      This issue only affects OpenSSL 1.1.0a, released on 22nd September 2016.

      The patch applied to address CVE-2016-6307 resulted in an issue where if a
      message larger than approx 16k is received then the underlying buffer to store
      the incoming message is reallocated and moved. Unfortunately a dangling pointer
      to the old location is left which results in an attempt to write to the
      previously freed location. This is likely to result in a crash, however it
      could potentially lead to execution of arbitrary code.
    </description>
    <advisory url="/news/secadv/20160926.txt"/>
    <reported source="Robert Święcki (Google Security Team)" date="20160923"/>
  </issue>
  <issue public="20160926">
    <impact severity="Moderate"/>
    <cve name="2016-7052"/>
    <affects base="1.0.2" version="1.0.2i"/>
    <fixed base="1.0.2" version="1.0.2j" date="20160926"/>

    <problemtype>NULL pointer exception</problemtype>                        
    <description>
      This issue only affects OpenSSL 1.0.2i, released on 22nd September 2016.

      A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0
      but was omitted from OpenSSL 1.0.2i. As a result any attempt to use
      CRLs in OpenSSL 1.0.2i will crash with a null pointer exception.
    </description>
    <advisory url="/news/secadv/20160926.txt"/>
    <reported source="Bruce Stephens and Thomas Jakobi" date="20160922"/>
  </issue>
  <issue public="20160922">
    <impact severity="High"/>
    <cve name="2016-6304"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <affects base="1.0.1" version="1.0.1k"/>
    <affects base="1.0.1" version="1.0.1l"/>
    <affects base="1.0.1" version="1.0.1m"/>
    <affects base="1.0.1" version="1.0.1n"/>
    <affects base="1.0.1" version="1.0.1o"/>
    <affects base="1.0.1" version="1.0.1p"/>
    <affects base="1.0.1" version="1.0.1q"/>
    <affects base="1.0.1" version="1.0.1r"/>
    <affects base="1.0.1" version="1.0.1s"/>
    <affects base="1.0.1" version="1.0.1t"/>
    <affects base="1.0.2" version="1.0.2"/>
    <affects base="1.0.2" version="1.0.2a"/>
    <affects base="1.0.2" version="1.0.2b"/>
    <affects base="1.0.2" version="1.0.2c"/>
    <affects base="1.0.2" version="1.0.2d"/>
    <affects base="1.0.2" version="1.0.2e"/>
    <affects base="1.0.2" version="1.0.2f"/>
    <affects base="1.0.2" version="1.0.2g"/>
    <affects base="1.0.2" version="1.0.2h"/>
    <affects base="1.1.0" version="1.1.0"/>
    <fixed base="1.0.1" version="1.0.1u" date="20160922"/>
    <fixed base="1.0.2" version="1.0.2i" date="20160922"/>
    <fixed base="1.1.0" version="1.1.0a" date="20160922"/>

    <problemtype>memory leak</problemtype>                            
    <description>
      A malicious client can send an excessively large OCSP Status Request extension.
      If that client continually requests renegotiation, sending a large OCSP Status
      Request extension each time, then there will be unbounded memory growth on the
      server. This will eventually lead to a Denial Of Service attack through memory
      exhaustion. Servers with a default configuration are vulnerable even if they do
      not support OCSP. Builds using the "no-ocsp" build time option are not affected.

      Servers using OpenSSL versions prior to 1.0.1g are not vulnerable in a default
      configuration, instead only if an application explicitly enables OCSP stapling
      support.
    </description>
    <advisory url="/news/secadv/20160922.txt"/>
    <reported source="Shi Lei (Gear Team, Qihoo 360 Inc.)" date="20160829"/>
  </issue>
  <issue public="20160922">
    <impact severity="Moderate"/>
    <cve name="2016-6305"/>
    <affects base="1.1.0" version="1.1.0"/>
    <fixed base="1.1.0" version="1.1.0a" date="20160922"/>

    <description>
      OpenSSL 1.1.0 SSL/TLS will hang during a call to SSL_peek() if the peer sends an
      empty record. This could be exploited by a malicious peer in a Denial Of Service
      attack.
    </description>
    <advisory url="/news/secadv/20160922.txt"/>
    <reported source="Alex Gaynor" date="20160910"/>
  </issue>
  <issue public="20160824">
    <impact severity="Low"/>
    <cve name="2016-6303"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <affects base="1.0.1" version="1.0.1k"/>
    <affects base="1.0.1" version="1.0.1l"/>
    <affects base="1.0.1" version="1.0.1m"/>
    <affects base="1.0.1" version="1.0.1n"/>
    <affects base="1.0.1" version="1.0.1o"/>
    <affects base="1.0.1" version="1.0.1p"/>
    <affects base="1.0.1" version="1.0.1q"/>
    <affects base="1.0.1" version="1.0.1r"/>
    <affects base="1.0.1" version="1.0.1s"/>
    <affects base="1.0.1" version="1.0.1t"/>
    <affects base="1.0.2" version="1.0.2"/>
    <affects base="1.0.2" version="1.0.2a"/>
    <affects base="1.0.2" version="1.0.2b"/>
    <affects base="1.0.2" version="1.0.2c"/>
    <affects base="1.0.2" version="1.0.2d"/>
    <affects base="1.0.2" version="1.0.2e"/>
    <affects base="1.0.2" version="1.0.2f"/>
    <affects base="1.0.2" version="1.0.2g"/>
    <affects base="1.0.2" version="1.0.2h"/>
    <fixed base="1.0.1" version="1.0.1u" date="20160922"/>
    <fixed base="1.0.2" version="1.0.2i" date="20160922"/>

    <description>
      An overflow can occur in MDC2_Update() either if called directly or
      through the EVP_DigestUpdate() function using MDC2. If an attacker
      is able to supply very large amounts of input data after a previous
      call to EVP_EncryptUpdate() with a partial block then a length check
      can overflow resulting in a heap corruption.

      The amount of data needed is comparable to SIZE_MAX which is impractical
      on most platforms.
    </description>
    <advisory url="/news/secadv/20160922.txt"/>
    <reported source="Shi Lei (Gear Team, Qihoo 360 Inc.)" date="20160811"/>
  </issue>
  <issue public="20160823">
    <impact severity="Low"/>
    <cve name="2016-6302"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <affects base="1.0.1" version="1.0.1k"/>
    <affects base="1.0.1" version="1.0.1l"/>
    <affects base="1.0.1" version="1.0.1m"/>
    <affects base="1.0.1" version="1.0.1n"/>
    <affects base="1.0.1" version="1.0.1o"/>
    <affects base="1.0.1" version="1.0.1p"/>
    <affects base="1.0.1" version="1.0.1q"/>
    <affects base="1.0.1" version="1.0.1r"/>
    <affects base="1.0.1" version="1.0.1s"/>
    <affects base="1.0.1" version="1.0.1t"/>
    <affects base="1.0.2" version="1.0.2"/>
    <affects base="1.0.2" version="1.0.2a"/>
    <affects base="1.0.2" version="1.0.2b"/>
    <affects base="1.0.2" version="1.0.2c"/>
    <affects base="1.0.2" version="1.0.2d"/>
    <affects base="1.0.2" version="1.0.2e"/>
    <affects base="1.0.2" version="1.0.2f"/>
    <affects base="1.0.2" version="1.0.2g"/>
    <affects base="1.0.2" version="1.0.2h"/>
    <fixed base="1.0.1" version="1.0.1u" date="20160922"/>
    <fixed base="1.0.2" version="1.0.2i" date="20160922"/>

    <description>
      If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a
      DoS attack where a malformed ticket will result in an OOB read which will
      ultimately crash.

      The use of SHA512 in TLS session tickets is comparatively rare as it requires
      a custom server callback and ticket lookup mechanism.
    </description>
    <advisory url="/news/secadv/20160922.txt"/>
    <reported source="Shi Lei (Gear Team, Qihoo 360 Inc.)" date="20160819"/>
  </issue>
  <issue public="20160816">
    <impact severity="Low"/>
    <cve name="2016-2182"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <affects base="1.0.1" version="1.0.1k"/>
    <affects base="1.0.1" version="1.0.1l"/>
    <affects base="1.0.1" version="1.0.1m"/>
    <affects base="1.0.1" version="1.0.1n"/>
    <affects base="1.0.1" version="1.0.1o"/>
    <affects base="1.0.1" version="1.0.1p"/>
    <affects base="1.0.1" version="1.0.1q"/>
    <affects base="1.0.1" version="1.0.1r"/>
    <affects base="1.0.1" version="1.0.1s"/>
    <affects base="1.0.1" version="1.0.1t"/>
    <affects base="1.0.2" version="1.0.2"/>
    <affects base="1.0.2" version="1.0.2a"/>
    <affects base="1.0.2" version="1.0.2b"/>
    <affects base="1.0.2" version="1.0.2c"/>
    <affects base="1.0.2" version="1.0.2d"/>
    <affects base="1.0.2" version="1.0.2e"/>
    <affects base="1.0.2" version="1.0.2f"/>
    <affects base="1.0.2" version="1.0.2g"/>
    <affects base="1.0.2" version="1.0.2h"/>
    <fixed base="1.0.1" version="1.0.1u" date="20160922"/>
    <fixed base="1.0.2" version="1.0.2i" date="20160922"/>

    <description>
      The function BN_bn2dec() does not check the return value of BN_div_word().
      This can cause an OOB write if an application uses this function with an
      overly large BIGNUM. This could be a problem if an overly large certificate
      or CRL is printed out from an untrusted source. TLS is not affected because
      record limits will reject an oversized certificate before it is parsed.
    </description>
    <advisory url="/news/secadv/20160922.txt"/>
    <reported source="Shi Lei (Gear Team, Qihoo 360 Inc.)" date="20160802"/>
  </issue>
  <issue public="20160722">
    <impact severity="Low"/>
    <cve name="2016-2180"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <affects base="1.0.1" version="1.0.1k"/>
    <affects base="1.0.1" version="1.0.1l"/>
    <affects base="1.0.1" version="1.0.1m"/>
    <affects base="1.0.1" version="1.0.1n"/>
    <affects base="1.0.1" version="1.0.1o"/>
    <affects base="1.0.1" version="1.0.1p"/>
    <affects base="1.0.1" version="1.0.1q"/>
    <affects base="1.0.1" version="1.0.1r"/>
    <affects base="1.0.1" version="1.0.1s"/>
    <affects base="1.0.1" version="1.0.1t"/>
    <affects base="1.0.2" version="1.0.2"/>
    <affects base="1.0.2" version="1.0.2a"/>
    <affects base="1.0.2" version="1.0.2b"/>
    <affects base="1.0.2" version="1.0.2c"/>
    <affects base="1.0.2" version="1.0.2d"/>
    <affects base="1.0.2" version="1.0.2e"/>
    <affects base="1.0.2" version="1.0.2f"/>
    <affects base="1.0.2" version="1.0.2g"/>
    <affects base="1.0.2" version="1.0.2h"/>
    <fixed base="1.0.1" version="1.0.1u" date="20160922"/>
    <fixed base="1.0.2" version="1.0.2i" date="20160922"/>

    <description>
      The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value is
      the total length the OID text representation would use and not the amount
      of data written. This will result in OOB reads when large OIDs are presented.
    </description>
    <advisory url="/news/secadv/20160922.txt"/>
    <reported source="Shi Lei (Gear Team, Qihoo 360 Inc.)" date="20160721"/>
  </issue>
  <issue public="20160601">
    <impact severity="Low"/>
    <cve name="2016-2177"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <affects base="1.0.1" version="1.0.1k"/>
    <affects base="1.0.1" version="1.0.1l"/>
    <affects base="1.0.1" version="1.0.1m"/>
    <affects base="1.0.1" version="1.0.1n"/>
    <affects base="1.0.1" version="1.0.1o"/>
    <affects base="1.0.1" version="1.0.1p"/>
    <affects base="1.0.1" version="1.0.1q"/>
    <affects base="1.0.1" version="1.0.1r"/>
    <affects base="1.0.1" version="1.0.1s"/>
    <affects base="1.0.1" version="1.0.1t"/>
    <affects base="1.0.2" version="1.0.2"/>
    <affects base="1.0.2" version="1.0.2a"/>
    <affects base="1.0.2" version="1.0.2b"/>
    <affects base="1.0.2" version="1.0.2c"/>
    <affects base="1.0.2" version="1.0.2d"/>
    <affects base="1.0.2" version="1.0.2e"/>
    <affects base="1.0.2" version="1.0.2f"/>
    <affects base="1.0.2" version="1.0.2g"/>
    <affects base="1.0.2" version="1.0.2h"/>
    <fixed base="1.0.1" version="1.0.1u" date="20160922"/>
    <fixed base="1.0.2" version="1.0.2i" date="20160922"/>

    <description>
        Avoid some undefined pointer arithmetic

        A common idiom in the codebase is to check limits in the following manner:
        "p + len &gt; limit"

        Where "p" points to some malloc'd data of SIZE bytes and
        limit == p + SIZE

        "len" here could be from some externally supplied data (e.g. from a TLS
        message).

        The rules of C pointer arithmetic are such that "p + len" is only well
        defined where len &lt;= SIZE. Therefore the above idiom is actually
        undefined behaviour.

        For example this could cause problems if some malloc implementation
        provides an address for "p" such that "p + len" actually overflows for
        values of len that are too big and therefore p + len &lt; limit.
    </description>
    <advisory url="/news/secadv/20160922.txt"/>
    <reported source="Guido Vranken" date="20160504"/>
  </issue>
  <issue public="20160607">
    <impact severity="Low"/>
    <cve name="2016-2178"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <affects base="1.0.1" version="1.0.1k"/>
    <affects base="1.0.1" version="1.0.1l"/>
    <affects base="1.0.1" version="1.0.1m"/>
    <affects base="1.0.1" version="1.0.1n"/>
    <affects base="1.0.1" version="1.0.1o"/>
    <affects base="1.0.1" version="1.0.1p"/>
    <affects base="1.0.1" version="1.0.1q"/>
    <affects base="1.0.1" version="1.0.1r"/>
    <affects base="1.0.1" version="1.0.1s"/>
    <affects base="1.0.1" version="1.0.1t"/>
    <affects base="1.0.2" version="1.0.2"/>
    <affects base="1.0.2" version="1.0.2a"/>
    <affects base="1.0.2" version="1.0.2b"/>
    <affects base="1.0.2" version="1.0.2c"/>
    <affects base="1.0.2" version="1.0.2d"/>
    <affects base="1.0.2" version="1.0.2e"/>
    <affects base="1.0.2" version="1.0.2f"/>
    <affects base="1.0.2" version="1.0.2g"/>
    <affects base="1.0.2" version="1.0.2h"/>
    <fixed base="1.0.1" version="1.0.1u" date="20160922"/>
    <fixed base="1.0.2" version="1.0.2i" date="20160922"/>

    <description>
      Operations in the DSA signing algorithm should run in constant time in order to
      avoid side channel attacks. A flaw in the OpenSSL DSA implementation means that
      a non-constant time codepath is followed for certain operations. This has been
      demonstrated through a cache-timing attack to be sufficient for an attacker to
      recover the private DSA key.
    </description>
    <advisory url="/news/secadv/20160922.txt"/>
    <reported source="César Pereida (Aalto University), Billy Brumley (Tampere University of Technology), and Yuval Yarom (The University of Adelaide and NICTA)" date="20160523"/>
  </issue>
  <issue public="20160822">
    <impact severity="Low"/>
    <cve name="2016-2179"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <affects base="1.0.1" version="1.0.1k"/>
    <affects base="1.0.1" version="1.0.1l"/>
    <affects base="1.0.1" version="1.0.1m"/>
    <affects base="1.0.1" version="1.0.1n"/>
    <affects base="1.0.1" version="1.0.1o"/>
    <affects base="1.0.1" version="1.0.1p"/>
    <affects base="1.0.1" version="1.0.1q"/>
    <affects base="1.0.1" version="1.0.1r"/>
    <affects base="1.0.1" version="1.0.1s"/>
    <affects base="1.0.1" version="1.0.1t"/>
    <affects base="1.0.2" version="1.0.2"/>
    <affects base="1.0.2" version="1.0.2a"/>
    <affects base="1.0.2" version="1.0.2b"/>
    <affects base="1.0.2" version="1.0.2c"/>
    <affects base="1.0.2" version="1.0.2d"/>
    <affects base="1.0.2" version="1.0.2e"/>
    <affects base="1.0.2" version="1.0.2f"/>
    <affects base="1.0.2" version="1.0.2g"/>
    <affects base="1.0.2" version="1.0.2h"/>
    <fixed base="1.0.1" version="1.0.1u" date="20160922"/>
    <fixed base="1.0.2" version="1.0.2i" date="20160922"/>

    <description>
      In a DTLS connection where handshake messages are delivered out-of-order those
      messages that OpenSSL is not yet ready to process will be buffered for later
      use. Under certain circumstances, a flaw in the logic means that those messages
      do not get removed from the buffer even though the handshake has been completed.
      An attacker could force up to approx. 15 messages to remain in the buffer when
      they are no longer required. These messages will be cleared when the DTLS
      connection is closed. The default maximum size for a message is 100k. Therefore
      the attacker could force an additional 1500k to be consumed per connection. By
      opening many simulataneous connections an attacker could cause a DoS attack
      through memory exhaustion.
    </description>
    <advisory url="/news/secadv/20160922.txt"/>
    <reported source="Quan Luo" date="20160622"/>
  </issue>
  <issue public="20160819">
    <impact severity="Low"/>
    <cve name="2016-2181"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <affects base="1.0.1" version="1.0.1k"/>
    <affects base="1.0.1" version="1.0.1l"/>
    <affects base="1.0.1" version="1.0.1m"/>
    <affects base="1.0.1" version="1.0.1n"/>
    <affects base="1.0.1" version="1.0.1o"/>
    <affects base="1.0.1" version="1.0.1p"/>
    <affects base="1.0.1" version="1.0.1q"/>
    <affects base="1.0.1" version="1.0.1r"/>
    <affects base="1.0.1" version="1.0.1s"/>
    <affects base="1.0.1" version="1.0.1t"/>
    <affects base="1.0.2" version="1.0.2"/>
    <affects base="1.0.2" version="1.0.2a"/>
    <affects base="1.0.2" version="1.0.2b"/>
    <affects base="1.0.2" version="1.0.2c"/>
    <affects base="1.0.2" version="1.0.2d"/>
    <affects base="1.0.2" version="1.0.2e"/>
    <affects base="1.0.2" version="1.0.2f"/>
    <affects base="1.0.2" version="1.0.2g"/>
    <affects base="1.0.2" version="1.0.2h"/>
    <fixed base="1.0.1" version="1.0.1u" date="20160922"/>
    <fixed base="1.0.2" version="1.0.2i" date="20160922"/>

    <description>
      A flaw in the DTLS replay attack protection mechanism means that records that
      arrive for future epochs update the replay protection "window" before the MAC
      for the record has been validated. This could be exploited by an attacker by
      sending a record for the next epoch (which does not have to decrypt or have a
      valid MAC), with a very large sequence number. This means that all subsequent
      legitimate packets are dropped causing a denial of service for a specific
      DTLS connection.
    </description>
    <advisory url="/news/secadv/20160922.txt"/>
    <reported source="OCAP audit team" date="20151121"/>
  </issue>
  <issue public="20160921">
    <impact severity="Low"/>
    <cve name="2016-6306"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <affects base="1.0.1" version="1.0.1k"/>
    <affects base="1.0.1" version="1.0.1l"/>
    <affects base="1.0.1" version="1.0.1m"/>
    <affects base="1.0.1" version="1.0.1n"/>
    <affects base="1.0.1" version="1.0.1o"/>
    <affects base="1.0.1" version="1.0.1p"/>
    <affects base="1.0.1" version="1.0.1q"/>
    <affects base="1.0.1" version="1.0.1r"/>
    <affects base="1.0.1" version="1.0.1s"/>
    <affects base="1.0.1" version="1.0.1t"/>
    <affects base="1.0.2" version="1.0.2"/>
    <affects base="1.0.2" version="1.0.2a"/>
    <affects base="1.0.2" version="1.0.2b"/>
    <affects base="1.0.2" version="1.0.2c"/>
    <affects base="1.0.2" version="1.0.2d"/>
    <affects base="1.0.2" version="1.0.2e"/>
    <affects base="1.0.2" version="1.0.2f"/>
    <affects base="1.0.2" version="1.0.2g"/>
    <affects base="1.0.2" version="1.0.2h"/>
    <fixed base="1.0.1" version="1.0.1u" date="20160922"/>
    <fixed base="1.0.2" version="1.0.2i" date="20160922"/>
    <description>
      In OpenSSL 1.0.2 and earlier some missing message length checks can result in
      OOB reads of up to 2 bytes beyond an allocated buffer. There is a theoretical
      DoS risk but this has not been observed in practice on common platforms.

      The messages affected are client certificate, client certificate request and
      server certificate. As a result the attack can only be performed against
      a client or a server which enables client authentication.
    </description>
    <advisory url="/news/secadv/20160922.txt"/>
    <reported source="Shi Lei (Gear Team, Qihoo 360 Inc.)" date="20160822"/>
  </issue>
  <issue public="20160921">
    <impact severity="Low"/>
    <cve name="2016-6307"/>
    <affects base="1.1.0" version="1.1.0"/>
    <fixed base="1.1.0" version="1.1.0a" date="20160922"/>

    <description>
      A TLS message includes 3 bytes for its length in the header for the message.
      This would allow for messages up to 16Mb in length. Messages of this length are
      excessive and OpenSSL includes a check to ensure that a peer is sending
      reasonably sized messages in order to avoid too much memory being consumed to
      service a connection. A flaw in the logic of version 1.1.0 means that memory for
      the message is allocated too early, prior to the excessive message length
      check. Due to way memory is allocated in OpenSSL this could mean an attacker
      could force up to 21Mb to be allocated to service a connection. This could lead
      to a Denial of Service through memory exhaustion. However, the excessive message
      length check still takes place, and this would cause the connection to
      immediately fail. Assuming that the application calls SSL_free() on the failed
      conneciton in a timely manner then the 21Mb of allocated memory will then be
      immediately freed again. Therefore the excessive memory allocation will be
      transitory in nature. This then means that there is only a security impact if:

      1) The application does not call SSL_free() in a timely manner in the
      event that the connection fails
      or
      2) The application is working in a constrained environment where there
      is very little free memory
      or
      3) The attacker initiates multiple connection attempts such that there
      are multiple connections in a state where memory has been allocated for
      the connection; SSL_free() has not yet been called; and there is
      insufficient memory to service the multiple requests.

      Except in the instance of (1) above any Denial Of Service is likely to
      be transitory because as soon as the connection fails the memory is
      subsequently freed again in the SSL_free() call. However there is an
      increased risk during this period of application crashes due to the lack
      of memory - which would then mean a more serious Denial of Service.
    </description>
    <advisory url="/news/secadv/20160922.txt"/>
    <reported source="Shi Lei (Gear Team, Qihoo 360 Inc.)" date="20160818"/>
  </issue>
  <issue public="20160921">
    <impact severity="Low"/>
    <cve name="2016-6308"/>
    <affects base="1.1.0" version="1.1.0"/>
    <fixed base="1.1.0" version="1.1.0a" date="20160922"/>

    <description>
      A DTLS message includes 3 bytes for its length in the header for the message.
      This would allow for messages up to 16Mb in length. Messages of this length are
      excessive and OpenSSL includes a check to ensure that a peer is sending
      reasonably sized messages in order to avoid too much memory being consumed to
      service a connection. A flaw in the logic of version 1.1.0 means that memory for
      the message is allocated too early, prior to the excessive message length
      check. Due to way memory is allocated in OpenSSL this could mean an attacker
      could force up to 21Mb to be allocated to service a connection. This could lead
      to a Denial of Service through memory exhaustion. However, the excessive message
      length check still takes place, and this would cause the connection to
      immediately fail. Assuming that the application calls SSL_free() on the failed
      conneciton in a timely manner then the 21Mb of allocated memory will then be
      immediately freed again. Therefore the excessive memory allocation will be
      transitory in nature. This then means that there is only a security impact if:

      1) The application does not call SSL_free() in a timely manner in the
      event that the connection fails
      or
      2) The application is working in a constrained environment where there
      is very little free memory
      or
      3) The attacker initiates multiple connection attempts such that there
      are multiple connections in a state where memory has been allocated for
      the connection; SSL_free() has not yet been called; and there is
      insufficient memory to service the multiple requests.

      Except in the instance of (1) above any Denial Of Service is likely to
      be transitory because as soon as the connection fails the memory is
      subsequently freed again in the SSL_free() call. However there is an
      increased risk during this period of application crashes due to the lack
      of memory - which would then mean a more serious Denial of Service.
    </description>
    <advisory url="/news/secadv/20160922.txt"/>
    <reported source="Shi Lei (Gear Team, Qihoo 360 Inc.)" date="20160818"/>
  </issue>
  <issue public="20160503">
    <impact severity="High"/>
    <cve name="2016-2108"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <affects base="1.0.1" version="1.0.1k"/>
    <affects base="1.0.1" version="1.0.1l"/>
    <affects base="1.0.1" version="1.0.1m"/>
    <affects base="1.0.1" version="1.0.1n"/>
    <affects base="1.0.2" version="1.0.2"/>
    <affects base="1.0.2" version="1.0.2a"/>
    <affects base="1.0.2" version="1.0.2b"/>
    <fixed base="1.0.1" version="1.0.1o" date="20160612"/>
    <fixed base="1.0.2" version="1.0.2c" date="20160612"/>

    <description>
      This issue affected versions of OpenSSL prior to April 2015. The bug
      causing the vulnerability was fixed on April 18th 2015, and released
      as part of the June 11th 2015 security releases. The security impact
      of the bug was not known at the time.

      In previous versions of OpenSSL, ASN.1 encoding the value zero
      represented as a negative integer can cause a buffer underflow
      with an out-of-bounds write in i2c_ASN1_INTEGER. The ASN.1 parser does
      not normally create "negative zeroes" when parsing ASN.1 input, and
      therefore, an attacker cannot trigger this bug.

      However, a second, independent bug revealed that the ASN.1 parser
      (specifically, d2i_ASN1_TYPE) can misinterpret a large universal tag
      as a negative zero value. Large universal tags are not present in any
      common ASN.1 structures (such as X509) but are accepted as part of ANY
      structures.

      Therefore, if an application deserializes untrusted ASN.1 structures
      containing an ANY field, and later reserializes them, an attacker may
      be able to trigger an out-of-bounds write. This has been shown to
      cause memory corruption that is potentially exploitable with some
      malloc implementations.

      Applications that parse and re-encode X509 certificates are known to
      be vulnerable. Applications that verify RSA signatures on X509
      certificates may also be vulnerable; however, only certificates with
      valid signatures trigger ASN.1 re-encoding and hence the
      bug. Specifically, since OpenSSL's default TLS X509 chain verification
      code verifies the certificate chain from root to leaf, TLS handshakes
      could only be targeted with valid certificates issued by trusted
      Certification Authorities.
    </description>
    <advisory url="/news/secadv/20160503.txt"/>
    <reported source="Huzaifa Sidhpurwala (Red Hat), Hanno Böck, David Benjamin (Google)" date="20160331"/>
  </issue>
  <issue public="20160503">
    <impact severity="High"/>
    <cve name="2016-2107"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <affects base="1.0.1" version="1.0.1k"/>
    <affects base="1.0.1" version="1.0.1l"/>
    <affects base="1.0.1" version="1.0.1m"/>
    <affects base="1.0.1" version="1.0.1n"/>
    <affects base="1.0.1" version="1.0.1o"/>
    <affects base="1.0.1" version="1.0.1p"/>
    <affects base="1.0.1" version="1.0.1q"/>
    <affects base="1.0.1" version="1.0.1r"/>
    <affects base="1.0.1" version="1.0.1s"/>
    <affects base="1.0.2" version="1.0.2"/>
    <affects base="1.0.2" version="1.0.2a"/>
    <affects base="1.0.2" version="1.0.2b"/>
    <affects base="1.0.2" version="1.0.2c"/>
    <affects base="1.0.2" version="1.0.2d"/>
    <affects base="1.0.2" version="1.0.2e"/>
    <affects base="1.0.2" version="1.0.2f"/>
    <affects base="1.0.2" version="1.0.2g"/>
    <fixed base="1.0.1" version="1.0.1t" date="20160503"/>
    <fixed base="1.0.2" version="1.0.2h" date="20160503"/>

    <description>
      A MITM attacker can use a padding oracle attack to decrypt traffic
      when the connection uses an AES CBC cipher and the server support
      AES-NI.

      This issue was introduced as part of the fix for Lucky 13 padding
      attack (CVE-2013-0169). The padding check was rewritten to be in
      constant time by making sure that always the same bytes are read and
      compared against either the MAC or padding bytes. But it no longer
      checked that there was enough data to have both the MAC and padding
      bytes.
    </description>
    <advisory url="/news/secadv/20160503.txt"/>
    <reported source="Juraj Somorovsky" date="20160413"/>
  </issue>
  <issue public="20160503">
    <impact severity="Low"/>
    <cve name="2016-2105"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <affects base="1.0.1" version="1.0.1k"/>
    <affects base="1.0.1" version="1.0.1l"/>
    <affects base="1.0.1" version="1.0.1m"/>
    <affects base="1.0.1" version="1.0.1n"/>
    <affects base="1.0.1" version="1.0.1o"/>
    <affects base="1.0.1" version="1.0.1p"/>
    <affects base="1.0.1" version="1.0.1q"/>
    <affects base="1.0.1" version="1.0.1r"/>
    <affects base="1.0.1" version="1.0.1s"/>
    <affects base="1.0.2" version="1.0.2"/>
    <affects base="1.0.2" version="1.0.2a"/>
    <affects base="1.0.2" version="1.0.2b"/>
    <affects base="1.0.2" version="1.0.2c"/>
    <affects base="1.0.2" version="1.0.2d"/>
    <affects base="1.0.2" version="1.0.2e"/>
    <affects base="1.0.2" version="1.0.2f"/>
    <affects base="1.0.2" version="1.0.2g"/>
    <fixed base="1.0.1" version="1.0.1t" date="20160503"/>
    <fixed base="1.0.2" version="1.0.2h" date="20160503"/>

    <description>
      An overflow can occur in the EVP_EncodeUpdate() function which is used for
      Base64 encoding of binary data. If an attacker is able to supply very
      large amounts of input data then a length check can overflow resulting in
      a heap corruption.

      Internally to OpenSSL the EVP_EncodeUpdate() function is primarly used by the
      PEM_write_bio* family of functions. These are mainly used within the OpenSSL
      command line applications. These internal uses are not considered vulnerable
      because all calls are bounded with length checks so no overflow is possible.
      User applications that call these APIs directly with large amounts of untrusted
      data may be vulnerable. (Note: Initial analysis suggested that the
      PEM_write_bio* were vulnerable, and this is reflected in the patch commit
      message. This is no longer believed to be the case).
    </description>
    <advisory url="/news/secadv/20160503.txt"/>
    <reported source="Guido Vranken" date="20160303"/>
  </issue>
  <issue public="20160503">
    <impact severity="Low"/>
    <cve name="2016-2106"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <affects base="1.0.1" version="1.0.1k"/>
    <affects base="1.0.1" version="1.0.1l"/>
    <affects base="1.0.1" version="1.0.1m"/>
    <affects base="1.0.1" version="1.0.1n"/>
    <affects base="1.0.1" version="1.0.1o"/>
    <affects base="1.0.1" version="1.0.1p"/>
    <affects base="1.0.1" version="1.0.1q"/>
    <affects base="1.0.1" version="1.0.1r"/>
    <affects base="1.0.1" version="1.0.1s"/>
    <affects base="1.0.2" version="1.0.2"/>
    <affects base="1.0.2" version="1.0.2a"/>
    <affects base="1.0.2" version="1.0.2b"/>
    <affects base="1.0.2" version="1.0.2c"/>
    <affects base="1.0.2" version="1.0.2d"/>
    <affects base="1.0.2" version="1.0.2e"/>
    <affects base="1.0.2" version="1.0.2f"/>
    <affects base="1.0.2" version="1.0.2g"/>
    <fixed base="1.0.1" version="1.0.1t" date="20160503"/>
    <fixed base="1.0.2" version="1.0.2h" date="20160503"/>

    <description>
      An overflow can occur in the EVP_EncryptUpdate() function. If an attacker
      is able to supply very large amounts of input data after a previous call
      to EVP_EncryptUpdate() with a partial block then a length check can
      overflow resulting in a heap corruption. Following an analysis of all
      OpenSSL internal usage of the EVP_EncryptUpdate() function all usage is
      one of two forms. The first form is where the EVP_EncryptUpdate() call is
      known to be the first called function after an EVP_EncryptInit(), and
      therefore that specific call must be safe. The second form is where the
      length passed to EVP_EncryptUpdate() can be seen from the code to be some
      small value and therefore there is no possibility of an overflow. Since
      all instances are one of these two forms, it is believed that there can be
      no overflows in internal code due to this problem. It should be noted that
      EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths.
      Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All
      instances of these calls have also been analysed too and it is believed
      there are no instances in internal usage where an overflow could occur.

      This could still represent a security issue for end user code that calls
      this function directly.
    </description>
    <advisory url="/news/secadv/20160503.txt"/>
    <reported source="Guido Vranken" date="20160303"/>
  </issue>
  <issue public="20160503">
    <impact severity="Low"/>
    <cve name="2016-2109"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <affects base="1.0.1" version="1.0.1k"/>
    <affects base="1.0.1" version="1.0.1l"/>
    <affects base="1.0.1" version="1.0.1m"/>
    <affects base="1.0.1" version="1.0.1n"/>
    <affects base="1.0.1" version="1.0.1o"/>
    <affects base="1.0.1" version="1.0.1p"/>
    <affects base="1.0.1" version="1.0.1q"/>
    <affects base="1.0.1" version="1.0.1r"/>
    <affects base="1.0.1" version="1.0.1s"/>
    <affects base="1.0.2" version="1.0.2"/>
    <affects base="1.0.2" version="1.0.2a"/>
    <affects base="1.0.2" version="1.0.2b"/>
    <affects base="1.0.2" version="1.0.2c"/>
    <affects base="1.0.2" version="1.0.2d"/>
    <affects base="1.0.2" version="1.0.2e"/>
    <affects base="1.0.2" version="1.0.2f"/>
    <affects base="1.0.2" version="1.0.2g"/>
    <fixed base="1.0.1" version="1.0.1t" date="20160503"/>
    <fixed base="1.0.2" version="1.0.2h" date="20160503"/>

    <description>
      When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
      a short invalid encoding can casuse allocation of large amounts of memory
      potentially consuming excessive resources or exhausting memory.

      Any application parsing untrusted data through d2i BIO functions is
      affected. The memory based functions such as d2i_X509() are *not*
      affected. Since the memory based functions are used by the TLS library,
      TLS applications are not affected.
    </description>
    <advisory url="/news/secadv/20160503.txt"/>
    <reported source="Brian Carpenter" date="20160404"/>
  </issue>
  <issue public="20160503">
    <impact severity="Low"/>
    <cve name="2016-2176"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <affects base="1.0.1" version="1.0.1k"/>
    <affects base="1.0.1" version="1.0.1l"/>
    <affects base="1.0.1" version="1.0.1m"/>
    <affects base="1.0.1" version="1.0.1n"/>
    <affects base="1.0.1" version="1.0.1o"/>
    <affects base="1.0.1" version="1.0.1p"/>
    <affects base="1.0.1" version="1.0.1q"/>
    <affects base="1.0.1" version="1.0.1r"/>
    <affects base="1.0.1" version="1.0.1s"/>
    <affects base="1.0.2" version="1.0.2"/>
    <affects base="1.0.2" version="1.0.2a"/>
    <affects base="1.0.2" version="1.0.2b"/>
    <affects base="1.0.2" version="1.0.2c"/>
    <affects base="1.0.2" version="1.0.2d"/>
    <affects base="1.0.2" version="1.0.2e"/>
    <affects base="1.0.2" version="1.0.2f"/>
    <affects base="1.0.2" version="1.0.2g"/>
    <fixed base="1.0.1" version="1.0.1t" date="20160503"/>
    <fixed base="1.0.2" version="1.0.2h" date="20160503"/>

    <description>
      ASN1 Strings that are over 1024 bytes can cause an overread in
      applications using the X509_NAME_oneline() function on EBCDIC systems.
      This could result in arbitrary stack data being returned in the buffer.
    </description>
    <advisory url="/news/secadv/20160503.txt"/>
    <reported source="Guido Vranken" date="20160305"/>
  </issue>
  <issue public="20160301">
    <impact severity="High"/>
    <cve name="2016-0800"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <affects base="1.0.1" version="1.0.1k"/>
    <affects base="1.0.1" version="1.0.1l"/>
    <affects base="1.0.1" version="1.0.1m"/>
    <affects base="1.0.1" version="1.0.1n"/>
    <affects base="1.0.1" version="1.0.1o"/>
    <affects base="1.0.1" version="1.0.1p"/>
    <affects base="1.0.1" version="1.0.1q"/>
    <affects base="1.0.1" version="1.0.1r"/>
    <affects base="1.0.2" version="1.0.2"/>
    <affects base="1.0.2" version="1.0.2a"/>
    <affects base="1.0.2" version="1.0.2b"/>
    <affects base="1.0.2" version="1.0.2c"/>
    <affects base="1.0.2" version="1.0.2d"/>
    <affects base="1.0.2" version="1.0.2e"/>
    <affects base="1.0.2" version="1.0.2f"/>
    <fixed base="1.0.1" version="1.0.1s" date="20160301"/>
    <fixed base="1.0.2" version="1.0.2g" date="20160301"/>

    <description>
      A cross-protocol attack was discovered that could lead to decryption of TLS
      sessions by using a server supporting SSLv2 and EXPORT cipher suites as a
      Bleichenbacher RSA padding oracle.  Note that traffic between clients and
      non-vulnerable servers can be decrypted provided another server supporting
      SSLv2 and EXPORT ciphers (even with a different protocol such as SMTP, IMAP or
      POP) shares the RSA keys of the non-vulnerable server. This vulnerability is
      known as DROWN (CVE-2016-0800).

      Recovering one session key requires the attacker to perform approximately 2^50
      computation, as well as thousands of connections to the affected server. A more
      efficient variant of the DROWN attack exists against unpatched OpenSSL servers
      using versions that predate 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf released on
      19/Mar/2015 (see CVE-2016-0703 below).

      Users can avoid this issue by disabling the SSLv2 protocol in all their SSL/TLS
      servers, if they've not done so already. Disabling all SSLv2 ciphers is also
      sufficient, provided the patches for CVE-2015-3197 (fixed in OpenSSL 1.0.1r and
      1.0.2f) have been deployed.  Servers that have not disabled the SSLv2 protocol,
      and are not patched for CVE-2015-3197 are vulnerable to DROWN even if all SSLv2
      ciphers are nominally disabled, because malicious clients can force the use of
      SSLv2 with EXPORT ciphers.

      OpenSSL 1.0.2g and 1.0.1s deploy the following mitigation against DROWN:

      SSLv2 is now by default disabled at build-time.  Builds that are not configured
      with "enable-ssl2" will not support SSLv2.  Even if "enable-ssl2" is used,
      users who want to negotiate SSLv2 via the version-flexible SSLv23_method() will
      need to explicitly call either of:

         SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
         or
         SSL_clear_options(ssl, SSL_OP_NO_SSLv2);

      as appropriate.  Even if either of those is used, or the application explicitly
      uses the version-specific SSLv2_method() or its client or server variants,
      SSLv2 ciphers vulnerable to exhaustive search key recovery have been removed.
      Specifically, the SSLv2 40-bit EXPORT ciphers, and SSLv2 56-bit DES are no
      longer available.

      In addition, weak ciphers in SSLv3 and up are now disabled in default builds of
      OpenSSL.  Builds that are not configured with "enable-weak-ssl-ciphers" will
      not provide any "EXPORT" or "LOW" strength ciphers.
    </description>
    <advisory url="/news/secadv/20160301.txt"/>
    <reported source="Nimrod Aviram and Sebastian Schinzel" date="20151229"/>
  </issue>
  <issue public="20160301">
    <impact severity="Low"/>
    <cve name="2016-0705"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <affects base="1.0.1" version="1.0.1k"/>
    <affects base="1.0.1" version="1.0.1l"/>
    <affects base="1.0.1" version="1.0.1m"/>
    <affects base="1.0.1" version="1.0.1n"/>
    <affects base="1.0.1" version="1.0.1o"/>
    <affects base="1.0.1" version="1.0.1p"/>
    <affects base="1.0.1" version="1.0.1q"/>
    <affects base="1.0.1" version="1.0.1r"/>
    <affects base="1.0.2" version="1.0.2"/>
    <affects base="1.0.2" version="1.0.2a"/>
    <affects base="1.0.2" version="1.0.2b"/>
    <affects base="1.0.2" version="1.0.2c"/>
    <affects base="1.0.2" version="1.0.2d"/>
    <affects base="1.0.2" version="1.0.2e"/>
    <affects base="1.0.2" version="1.0.2f"/>
    <fixed base="1.0.1" version="1.0.1s" date="20160301"/>
    <fixed base="1.0.2" version="1.0.2g" date="20160301"/>

    <description>
      A double free bug was discovered when OpenSSL parses malformed DSA private keys
      and could lead to a DoS attack or memory corruption for applications that
      receive DSA private keys from untrusted sources.  This scenario is considered
      rare.
    </description>
    <advisory url="/news/secadv/20160301.txt"/>
    <reported source="Adam Langley (Google/BoringSSL)" date="20160207"/>
  </issue>
  <issue public="20160301">
    <impact severity="Low"/>
    <cve name="2016-0798"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <affects base="1.0.1" version="1.0.1k"/>
    <affects base="1.0.1" version="1.0.1l"/>
    <affects base="1.0.1" version="1.0.1m"/>
    <affects base="1.0.1" version="1.0.1n"/>
    <affects base="1.0.1" version="1.0.1o"/>
    <affects base="1.0.1" version="1.0.1p"/>
    <affects base="1.0.1" version="1.0.1q"/>
    <affects base="1.0.1" version="1.0.1r"/>
    <affects base="1.0.2" version="1.0.2"/>
    <affects base="1.0.2" version="1.0.2a"/>
    <affects base="1.0.2" version="1.0.2b"/>
    <affects base="1.0.2" version="1.0.2c"/>
    <affects base="1.0.2" version="1.0.2d"/>
    <affects base="1.0.2" version="1.0.2e"/>
    <affects base="1.0.2" version="1.0.2f"/>
    <fixed base="1.0.1" version="1.0.1s" date="20160301"/>
    <fixed base="1.0.2" version="1.0.2g" date="20160301"/>

    <description>
      The SRP user database lookup method SRP_VBASE_get_by_user had
      confusing memory management semantics; the returned pointer was sometimes newly
      allocated, and sometimes owned by the callee. The calling code has no way of
      distinguishing these two cases.

      Specifically, SRP servers that configure a secret seed to hide valid
      login information are vulnerable to a memory leak: an attacker
      connecting with an invalid username can cause a memory leak of around
      300 bytes per connection.  Servers that do not configure SRP, or
      configure SRP but do not configure a seed are not vulnerable.

      In Apache, the seed directive is known as SSLSRPUnknownUserSeed.

      To mitigate the memory leak, the seed handling in
      SRP_VBASE_get_by_user is now disabled even if the user has configured
      a seed.  Applications are advised to migrate to
      SRP_VBASE_get1_by_user. However, note that OpenSSL makes no strong
      guarantees about the indistinguishability of valid and invalid
      logins. In particular, computations are currently not carried out in
      constant time.
    </description>
    <advisory url="/news/secadv/20160301.txt"/>
    <reported source="Emilia Käsper (OpenSSL)" date="20160223"/>
  </issue>
  <issue public="20160301">
    <impact severity="Low"/>
    <cve name="2016-0797"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <affects base="1.0.1" version="1.0.1k"/>
    <affects base="1.0.1" version="1.0.1l"/>
    <affects base="1.0.1" version="1.0.1m"/>
    <affects base="1.0.1" version="1.0.1n"/>
    <affects base="1.0.1" version="1.0.1o"/>
    <affects base="1.0.1" version="1.0.1p"/>
    <affects base="1.0.1" version="1.0.1q"/>
    <affects base="1.0.1" version="1.0.1r"/>
    <affects base="1.0.2" version="1.0.2"/>
    <affects base="1.0.2" version="1.0.2a"/>
    <affects base="1.0.2" version="1.0.2b"/>
    <affects base="1.0.2" version="1.0.2c"/>
    <affects base="1.0.2" version="1.0.2d"/>
    <affects base="1.0.2" version="1.0.2e"/>
    <affects base="1.0.2" version="1.0.2f"/>
    <fixed base="1.0.1" version="1.0.1s" date="20160301"/>
    <fixed base="1.0.2" version="1.0.2g" date="20160301"/>

    <description>
      In the BN_hex2bn function the number of hex digits is calculated using an int
      value |i|. Later |bn_expand| is called with a value of |i * 4|. For large values
      of |i| this can result in |bn_expand| not allocating any memory because |i * 4|
      is negative. This can leave the internal BIGNUM data field as NULL leading to a
      subsequent NULL ptr deref. For very large values of |i|, the calculation |i * 4|
      could be a positive value smaller than |i|. In this case memory is allocated to
      the internal BIGNUM data field, but it is insufficiently sized leading to heap
      corruption. A similar issue exists in BN_dec2bn. This could have security
      consequences if BN_hex2bn/BN_dec2bn is ever called by user applications with
      very large untrusted hex/dec data. This is anticipated to be a rare occurrence.

      All OpenSSL internal usage of these functions use data that is not expected to
      be untrusted, e.g. config file data or application command line arguments. If
      user developed applications generate config file data based on untrusted data
      then it is possible that this could also lead to security consequences. This is
      also anticipated to be rare.
    </description>
    <advisory url="/news/secadv/20160301.txt"/>
    <reported source="Guido Vranken" date="20160219"/>
  </issue>
  <issue public="20160301">
    <impact severity="Low"/>
    <cve name="2016-0799"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <affects base="1.0.1" version="1.0.1k"/>
    <affects base="1.0.1" version="1.0.1l"/>
    <affects base="1.0.1" version="1.0.1m"/>
    <affects base="1.0.1" version="1.0.1n"/>
    <affects base="1.0.1" version="1.0.1o"/>
    <affects base="1.0.1" version="1.0.1p"/>
    <affects base="1.0.1" version="1.0.1q"/>
    <affects base="1.0.1" version="1.0.1r"/>
    <affects base="1.0.2" version="1.0.2"/>
    <affects base="1.0.2" version="1.0.2a"/>
    <affects base="1.0.2" version="1.0.2b"/>
    <affects base="1.0.2" version="1.0.2c"/>
    <affects base="1.0.2" version="1.0.2d"/>
    <affects base="1.0.2" version="1.0.2e"/>
    <affects base="1.0.2" version="1.0.2f"/>
    <fixed base="1.0.1" version="1.0.1s" date="20160301"/>
    <fixed base="1.0.2" version="1.0.2g" date="20160301"/>

    <description>
      The internal |fmtstr| function used in processing a "%s" format string in the
      BIO_*printf functions could overflow while calculating the length of a string
      and cause an OOB read when printing very long strings.

      Additionally the internal |doapr_outch| function can attempt to write to an OOB
      memory location (at an offset from the NULL pointer) in the event of a memory
      allocation failure. In 1.0.2 and below this could be caused where the size of a
      buffer to be allocated is greater than INT_MAX. E.g. this could be in processing
      a very long "%s" format string. Memory leaks can also occur.

      The first issue may mask the second issue dependent on compiler behaviour.
      These problems could enable attacks where large amounts of untrusted data is
      passed to the BIO_*printf functions. If applications use these functions in this
      way then they could be vulnerable. OpenSSL itself uses these functions when
      printing out human-readable dumps of ASN.1 data. Therefore applications that
      print this data could be vulnerable if the data is from untrusted sources.
      OpenSSL command line applications could also be vulnerable where they print out
      ASN.1 data, or if untrusted data is passed as command line arguments.

      Libssl is not considered directly vulnerable. Additionally certificates etc
      received via remote connections via libssl are also unlikely to be able to
      trigger these issues because of message size limits enforced within libssl.
    </description>
    <advisory url="/news/secadv/20160301.txt"/>
    <reported source="Guido Vranken" date="20160223"/>
  </issue>
  <issue public="20160301">
    <impact severity="Low"/>
    <cve name="2016-0702"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <affects base="1.0.1" version="1.0.1k"/>
    <affects base="1.0.1" version="1.0.1l"/>
    <affects base="1.0.1" version="1.0.1m"/>
    <affects base="1.0.1" version="1.0.1n"/>
    <affects base="1.0.1" version="1.0.1o"/>
    <affects base="1.0.1" version="1.0.1p"/>
    <affects base="1.0.1" version="1.0.1q"/>
    <affects base="1.0.1" version="1.0.1r"/>
    <affects base="1.0.2" version="1.0.2"/>
    <affects base="1.0.2" version="1.0.2a"/>
    <affects base="1.0.2" version="1.0.2b"/>
    <affects base="1.0.2" version="1.0.2c"/>
    <affects base="1.0.2" version="1.0.2d"/>
    <affects base="1.0.2" version="1.0.2e"/>
    <affects base="1.0.2" version="1.0.2f"/>
    <fixed base="1.0.1" version="1.0.1s" date="20160301"/>
    <fixed base="1.0.2" version="1.0.2g" date="20160301"/>

    <description>
      A side-channel attack was found which makes use of cache-bank conflicts on the
      Intel Sandy-Bridge microarchitecture which could lead to the recovery of RSA
      keys.  The ability to exploit this issue is limited as it relies on an attacker
      who has control of code in a thread running on the same hyper-threaded core as
      the victim thread which is performing decryptions.
    </description>
    <advisory url="/news/secadv/20160301.txt"/>
    <reported source="Yuval Yarom, The University of Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and Nadia Heninger, University of Pennsylvania" date="20160108"/>
  </issue>
  <issue public="20160301">
    <impact severity="High"/>
    <cve name="2016-0703"/>

    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <affects base="0.9.8" version="0.9.8m"/>
    <affects base="0.9.8" version="0.9.8n"/>
    <affects base="0.9.8" version="0.9.8o"/>
    <affects base="0.9.8" version="0.9.8p"/>
    <affects base="0.9.8" version="0.9.8q"/>
    <affects base="0.9.8" version="0.9.8r"/>
    <affects base="0.9.8" version="0.9.8s"/>
    <affects base="0.9.8" version="0.9.8t"/>
    <affects base="0.9.8" version="0.9.8u"/>
    <affects base="0.9.8" version="0.9.8v"/>
    <affects base="0.9.8" version="0.9.8w"/>
    <affects base="0.9.8" version="0.9.8x"/>
    <affects base="0.9.8" version="0.9.8y"/>
    <affects base="0.9.8" version="0.9.8za"/>
    <affects base="0.9.8" version="0.9.8zb"/>
    <affects base="0.9.8" version="0.9.8zc"/>
    <affects base="0.9.8" version="0.9.8zd"/>
    <affects base="0.9.8" version="0.9.8ze"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <affects base="1.0.0" version="1.0.0e"/>
    <affects base="1.0.0" version="1.0.0f"/>
    <affects base="1.0.0" version="1.0.0g"/>
    <affects base="1.0.0" version="1.0.0i"/>
    <affects base="1.0.0" version="1.0.0j"/>
    <affects base="1.0.0" version="1.0.0k"/>
    <affects base="1.0.0" version="1.0.0l"/>
    <affects base="1.0.0" version="1.0.0m"/>
    <affects base="1.0.0" version="1.0.0n"/>
    <affects base="1.0.0" version="1.0.0o"/>
    <affects base="1.0.0" version="1.0.0p"/>
    <affects base="1.0.0" version="1.0.0q"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <affects base="1.0.1" version="1.0.1k"/>
    <affects base="1.0.1" version="1.0.1l"/>
    <affects base="1.0.2" version="1.0.2"/>
    <fixed base="0.9.8" version="0.9.8zf" date="20150319"/>
    <fixed base="1.0.0" version="1.0.0r" date="20150319"/>
    <fixed base="1.0.1" version="1.0.1m" date="20150319"/>
    <fixed base="1.0.2" version="1.0.2a" date="20150319"/>

    <description>
      This issue only affected versions of OpenSSL prior to March 19th 2015 at which
      time the code was refactored to address vulnerability CVE-2015-0293.

      s2_srvr.c did not enforce that clear-key-length is 0 for non-export ciphers. If
      clear-key bytes are present for these ciphers, they *displace* encrypted-key
      bytes. This leads to an efficient divide-and-conquer key recovery attack: if an
      eavesdropper has intercepted an SSLv2 handshake, they can use the server as an
      oracle to determine the SSLv2 master-key, using only 16 connections to the
      server and negligible computation.

      More importantly, this leads to a more efficient version of DROWN that is
      effective against non-export ciphersuites, and requires no significant
      computation.
    </description>
    <advisory url="/news/secadv/20160301.txt"/>
    <reported source="David Adrian and J.Alex Halderman (University of Michigan)" date="20160210"/>
  </issue>
  <issue public="20160301">
    <impact severity="Moderate"/>
    <cve name="2016-0704"/>

    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <affects base="0.9.8" version="0.9.8m"/>
    <affects base="0.9.8" version="0.9.8n"/>
    <affects base="0.9.8" version="0.9.8o"/>
    <affects base="0.9.8" version="0.9.8p"/>
    <affects base="0.9.8" version="0.9.8q"/>
    <affects base="0.9.8" version="0.9.8r"/>
    <affects base="0.9.8" version="0.9.8s"/>
    <affects base="0.9.8" version="0.9.8t"/>
    <affects base="0.9.8" version="0.9.8u"/>
    <affects base="0.9.8" version="0.9.8v"/>
    <affects base="0.9.8" version="0.9.8w"/>
    <affects base="0.9.8" version="0.9.8x"/>
    <affects base="0.9.8" version="0.9.8y"/>
    <affects base="0.9.8" version="0.9.8za"/>
    <affects base="0.9.8" version="0.9.8zb"/>
    <affects base="0.9.8" version="0.9.8zc"/>
    <affects base="0.9.8" version="0.9.8zd"/>
    <affects base="0.9.8" version="0.9.8ze"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <affects base="1.0.0" version="1.0.0e"/>
    <affects base="1.0.0" version="1.0.0f"/>
    <affects base="1.0.0" version="1.0.0g"/>
    <affects base="1.0.0" version="1.0.0i"/>
    <affects base="1.0.0" version="1.0.0j"/>
    <affects base="1.0.0" version="1.0.0k"/>
    <affects base="1.0.0" version="1.0.0l"/>
    <affects base="1.0.0" version="1.0.0m"/>
    <affects base="1.0.0" version="1.0.0n"/>
    <affects base="1.0.0" version="1.0.0o"/>
    <affects base="1.0.0" version="1.0.0p"/>
    <affects base="1.0.0" version="1.0.0q"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <affects base="1.0.1" version="1.0.1k"/>
    <affects base="1.0.1" version="1.0.1l"/>
    <affects base="1.0.2" version="1.0.2"/>
    <fixed base="0.9.8" version="0.9.8zf" date="20150319"/>
    <fixed base="1.0.0" version="1.0.0r" date="20150319"/>
    <fixed base="1.0.1" version="1.0.1m" date="20150319"/>
    <fixed base="1.0.2" version="1.0.2a" date="20150319"/>

    <description>
      This issue only affected versions of OpenSSL prior to March 19th 2015 at which
      time the code was refactored to address the vulnerability CVE-2015-0293.

      s2_srvr.c overwrite the wrong bytes in the master-key when applying
      Bleichenbacher protection for export cipher suites.  This provides a
      Bleichenbacher oracle, and could potentially allow more efficient variants of
      the DROWN attack.
    </description>
    <advisory url="/news/secadv/20160301.txt"/>
    <reported source="David Adrian and J.Alex Halderman (University of Michigan)" date="20160210"/>
  </issue>
  <issue public="20160128">
    <impact severity="High"/>
    <cve name="2016-0701"/>
    <affects base="1.0.2" version="1.0.2"/>
    <affects base="1.0.2" version="1.0.2a"/>
    <affects base="1.0.2" version="1.0.2b"/>
    <affects base="1.0.2" version="1.0.2c"/>
    <affects base="1.0.2" version="1.0.2d"/>
    <affects base="1.0.2" version="1.0.2e"/>
    <fixed base="1.0.2" version="1.0.2f" date="2016-0701"/>

    <description>
      Historically OpenSSL usually only ever generated DH parameters based on "safe"
      primes. More recently (in version 1.0.2) support was provided for generating
      X9.42 style parameter files such as those required for RFC 5114 support. The
      primes used in such files may not be "safe". Where an application is using DH
      configured with parameters based on primes that are not "safe" then an attacker
      could use this fact to find a peer's private DH exponent. This attack requires
      that the attacker complete multiple handshakes in which the peer uses the same
      private DH exponent. For example this could be used to discover a TLS server's
      private DH exponent if it's reusing the private DH exponent or it's using a
      static DH ciphersuite.

      OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in TLS.
      It is not on by default. If the option is not set then the server reuses the
      same private DH exponent for the life of the server process and would be
      vulnerable to this attack. It is believed that many popular applications do set
      this option and would therefore not be at risk.

      OpenSSL before 1.0.2f will reuse the key if:
      - SSL_CTX_set_tmp_dh()/SSL_set_tmp_dh() is used and SSL_OP_SINGLE_DH_USE is not
        set.
      - SSL_CTX_set_tmp_dh_callback()/SSL_set_tmp_dh_callback() is used, and both the
        parameters and the key are set and SSL_OP_SINGLE_DH_USE is not used. This is
        an undocumted feature and parameter files don't contain the key.
      - Static DH ciphersuites are used. The key is part of the certificate and
        so it will always reuse it. This is only supported in 1.0.2.

      It will not reuse the key for DHE ciphers suites if:
      - SSL_OP_SINGLE_DH_USE is set
      - SSL_CTX_set_tmp_dh_callback()/SSL_set_tmp_dh_callback() is used and the
        callback does not provide the key, only the parameters. The callback is
        almost always used like this.

      Non-safe primes are generated by OpenSSL when using:
      - genpkey with the dh_rfc5114 option. This will write an X9.42 style file
        including the prime-order subgroup size "q". This is supported since the 1.0.2
        version. Older versions can't read files generated in this way.
      - dhparam with the -dsaparam option. This has always been documented as
        requiring the single use.

      The fix for this issue adds an additional check where a "q" parameter is
      available (as is the case in X9.42 based parameters). This detects the
      only known attack, and is the only possible defense for static DH ciphersuites.
      This could have some performance impact.

      Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by default
      and cannot be disabled. This could have some performance impact.
    </description>
    <advisory url="/news/secadv/20160128.txt"/>
    <reported source="Antonio Sanso (Adobe)" date="20160112"/>
  </issue>
  <issue public="20160128">
    <impact severity="Low"/>
    <cve name="2015-3197"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <affects base="1.0.1" version="1.0.1k"/>
    <affects base="1.0.1" version="1.0.1l"/>
    <affects base="1.0.1" version="1.0.1m"/>
    <affects base="1.0.1" version="1.0.1n"/>
    <affects base="1.0.1" version="1.0.1o"/>
    <affects base="1.0.1" version="1.0.1p"/>
    <affects base="1.0.1" version="1.0.1q"/>
    <affects base="1.0.2" version="1.0.2"/>
    <affects base="1.0.2" version="1.0.2a"/>
    <affects base="1.0.2" version="1.0.2b"/>
    <affects base="1.0.2" version="1.0.2c"/>
    <affects base="1.0.2" version="1.0.2d"/>
    <affects base="1.0.2" version="1.0.2e"/>
    <fixed base="1.0.1" version="1.0.1r" date="20160128"/>
    <fixed base="1.0.2" version="1.0.2f" date="20160128"/>

    <description>
      A malicious client can negotiate SSLv2 ciphers that have been disabled on the
      server and complete SSLv2 handshakes even if all SSLv2 ciphers have been
      disabled, provided that the SSLv2 protocol was not also disabled via
      SSL_OP_NO_SSLv2.
    </description>
    <advisory url="/news/secadv/20160128.txt"/>
    <reported source="Nimrod Aviram and Sebastian Schinzel" date="20151226"/>
  </issue>
  <issue public="20150811">
    <impact severity="Low"/>
    <cve name="2015-1794"/>
    <affects base="1.0.2" version="1.0.2"/>
    <affects base="1.0.2" version="1.0.2a"/>
    <affects base="1.0.2" version="1.0.2b"/>
    <affects base="1.0.2" version="1.0.2c"/>
    <affects base="1.0.2" version="1.0.2d"/>
    <fixed base="1.0.2" version="1.0.2e" date="20151203"/>

    <description>
      If a client receives a ServerKeyExchange for an anonymous DH ciphersuite with
      the value of p set to 0 then a seg fault can occur leading to a possible denial
      of service attack.
    </description>
    <advisory url="/news/secadv/20151203.txt"/>
    <reported source="Guy Leaver (Cisco)" date="20150803"/>
  </issue>
  <issue public="20151203">
    <cve name="2015-3193"/>
    <impact severity="Moderate"/>
    <affects base="1.0.2" version="1.0.2"/>
    <affects base="1.0.2" version="1.0.2a"/>
    <affects base="1.0.2" version="1.0.2b"/>
    <affects base="1.0.2" version="1.0.2c"/>
    <affects base="1.0.2" version="1.0.2d"/>
    <fixed base="1.0.2" version="1.0.2e" date="20151203"/>

    <description>
      There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No
      EC algorithms are affected. Analysis suggests that attacks against RSA and DSA
      as a result of this defect would be very difficult to perform and are not
      believed likely. Attacks against DH are considered just feasible (although very
      difficult) because most of the work necessary to deduce information
      about a private key may be performed offline. The amount of resources
      required for such an attack would be very significant and likely only
      accessible to a limited number of attackers. An attacker would
      additionally need online access to an unpatched system using the target
      private key in a scenario with persistent DH parameters and a private
      key that is shared between multiple clients. For example this can occur by
      default in OpenSSL DHE based SSL/TLS ciphersuites.
    </description>
    <advisory url="/news/secadv/20151203.txt"/>
    <reported source="Hanno Böck" date="20150813"/>
  </issue>
  <issue public="20151203">
    <cve name="2015-3194"/>
    <impact severity="Moderate"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <affects base="1.0.1" version="1.0.1k"/>
    <affects base="1.0.1" version="1.0.1l"/>
    <affects base="1.0.1" version="1.0.1m"/>
    <affects base="1.0.1" version="1.0.1n"/>
    <affects base="1.0.1" version="1.0.1o"/>
    <affects base="1.0.1" version="1.0.1p"/>
    <affects base="1.0.2" version="1.0.2"/>
    <affects base="1.0.2" version="1.0.2a"/>
    <affects base="1.0.2" version="1.0.2b"/>
    <affects base="1.0.2" version="1.0.2c"/>
    <affects base="1.0.2" version="1.0.2d"/>
    <fixed base="1.0.2" version="1.0.2e" date="20151203"/>
    <fixed base="1.0.1" version="1.0.1q" date="20151203"/>

    <description>
      The signature verification routines will crash with a NULL pointer dereference
      if presented with an ASN.1 signature using the RSA PSS algorithm and absent
      mask generation function parameter. Since these routines are used to verify
      certificate signature algorithms this can be used to crash any certificate
      verification operation and exploited in a DoS attack. Any application which
      performs certificate verification is vulnerable including OpenSSL clients and
      servers which enable client authentication.
    </description>
    <advisory url="/news/secadv/20151203.txt"/>
    <reported source="Loïc Jonas Etienne (Qnective AG)" date="20150827"/>
  </issue>
  <issue public="20151203">
    <cve name="2015-3195"/>
    <impact severity="Moderate"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <affects base="0.9.8" version="0.9.8m"/>
    <affects base="0.9.8" version="0.9.8n"/>
    <affects base="0.9.8" version="0.9.8o"/>
    <affects base="0.9.8" version="0.9.8p"/>
    <affects base="0.9.8" version="0.9.8q"/>
    <affects base="0.9.8" version="0.9.8r"/>
    <affects base="0.9.8" version="0.9.8s"/>
    <affects base="0.9.8" version="0.9.8t"/>
    <affects base="0.9.8" version="0.9.8u"/>
    <affects base="0.9.8" version="0.9.8v"/>
    <affects base="0.9.8" version="0.9.8w"/>
    <affects base="0.9.8" version="0.9.8x"/>
    <affects base="0.9.8" version="0.9.8y"/>
    <affects base="0.9.8" version="0.9.8za"/>
    <affects base="0.9.8" version="0.9.8zb"/>
    <affects base="0.9.8" version="0.9.8zc"/>
    <affects base="0.9.8" version="0.9.8zd"/>
    <affects base="0.9.8" version="0.9.8ze"/>
    <affects base="0.9.8" version="0.9.8zf"/>
    <affects base="0.9.8" version="0.9.8zg"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <affects base="1.0.0" version="1.0.0e"/>
    <affects base="1.0.0" version="1.0.0f"/>
    <affects base="1.0.0" version="1.0.0g"/>
    <affects base="1.0.0" version="1.0.0h"/>
    <affects base="1.0.0" version="1.0.0i"/>
    <affects base="1.0.0" version="1.0.0j"/>
    <affects base="1.0.0" version="1.0.0k"/>
    <affects base="1.0.0" version="1.0.0l"/>
    <affects base="1.0.0" version="1.0.0m"/>
    <affects base="1.0.0" version="1.0.0n"/>
    <affects base="1.0.0" version="1.0.0o"/>
    <affects base="1.0.0" version="1.0.0p"/>
    <affects base="1.0.0" version="1.0.0q"/>
    <affects base="1.0.0" version="1.0.0r"/>
    <affects base="1.0.0" version="1.0.0s"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <affects base="1.0.1" version="1.0.1k"/>
    <affects base="1.0.1" version="1.0.1l"/>
    <affects base="1.0.1" version="1.0.1m"/>
    <affects base="1.0.1" version="1.0.1n"/>
    <affects base="1.0.1" version="1.0.1o"/>
    <affects base="1.0.1" version="1.0.1p"/>
    <affects base="1.0.2" version="1.0.2"/>
    <affects base="1.0.2" version="1.0.2a"/>
    <affects base="1.0.2" version="1.0.2b"/>
    <affects base="1.0.2" version="1.0.2c"/>
    <affects base="1.0.2" version="1.0.2d"/>
    <fixed base="1.0.2" version="1.0.2e" date="20151203"/>
    <fixed base="1.0.1" version="1.0.1q" date="20151203"/>
    <fixed base="1.0.0" version="1.0.0t" date="20151203"/>
    <fixed base="0.9.8" version="0.9.8zh" date="20151203"/>

    <description>
      When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak
      memory. This structure is used by the PKCS#7 and CMS routines so any
      application which reads PKCS#7 or CMS data from untrusted sources is affected.
      SSL/TLS is not affected.
    </description>
    <advisory url="/news/secadv/20151203.txt"/>
    <reported source="Adam Langley (Google/BoringSSL) using libFuzzer" date="20151109"/>
  </issue>
  <issue public="20151203">
    <cve name="2015-3196"/>
    <impact severity="Low"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <affects base="1.0.0" version="1.0.0e"/>
    <affects base="1.0.0" version="1.0.0f"/>
    <affects base="1.0.0" version="1.0.0g"/>
    <affects base="1.0.0" version="1.0.0h"/>
    <affects base="1.0.0" version="1.0.0i"/>
    <affects base="1.0.0" version="1.0.0j"/>
    <affects base="1.0.0" version="1.0.0k"/>
    <affects base="1.0.0" version="1.0.0l"/>
    <affects base="1.0.0" version="1.0.0m"/>
    <affects base="1.0.0" version="1.0.0n"/>
    <affects base="1.0.0" version="1.0.0o"/>
    <affects base="1.0.0" version="1.0.0p"/>
    <affects base="1.0.0" version="1.0.0q"/>
    <affects base="1.0.0" version="1.0.0r"/>
    <affects base="1.0.0" version="1.0.0s"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <affects base="1.0.1" version="1.0.1k"/>
    <affects base="1.0.1" version="1.0.1l"/>
    <affects base="1.0.1" version="1.0.1m"/>
    <affects base="1.0.1" version="1.0.1n"/>
    <affects base="1.0.1" version="1.0.1o"/>
    <affects base="1.0.2" version="1.0.2"/>
    <affects base="1.0.2" version="1.0.2a"/>
    <affects base="1.0.2" version="1.0.2b"/>
    <affects base="1.0.2" version="1.0.2c"/>
    <fixed base="1.0.2" version="1.0.2d" date="20150709"/>
    <fixed base="1.0.1" version="1.0.1p" date="20150709"/>
    <fixed base="1.0.0" version="1.0.0t" date="20151203"/>

    <description>
      If PSK identity hints are received by a multi-threaded client then
      the values are wrongly updated in the parent SSL_CTX structure. This can
      result in a race condition potentially leading to a double free of the
      identify hint data.
    </description>
    <advisory url="/news/secadv/20151203.txt"/>
    <reported source="Stephen Henson (OpenSSL)"/>
  </issue>

  <issue public="20150709">
    <cve name="2015-1793"/>
    <impact severity="High"/>
    <affects base="1.0.1" version="1.0.1n"/>
    <affects base="1.0.1" version="1.0.1o"/>
    <affects base="1.0.2" version="1.0.2b"/>
    <affects base="1.0.2" version="1.0.2c"/>
    <fixed base="1.0.2" version="1.0.2d" date="20150709"/>
    <fixed base="1.0.1" version="1.0.1p" date="20150709"/>

    <description>
      An error in the implementation of the alternative certificate
      chain logic could allow an attacker to cause certain checks on
      untrusted certificates to be bypassed, such as the CA flag,
      enabling them to use a valid leaf certificate to act as a CA and
      "issue" an invalid certificate.
    </description>
    <advisory url="/news/secadv/20150709.txt"/>
    <reported source="Adam Langley and David Benjamin (Google/BoringSSL)" date="20150624"/>
  </issue>
  <issue public="20150611">
    <cve name="2015-1788"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <affects base="0.9.8" version="0.9.8m"/>
    <affects base="0.9.8" version="0.9.8n"/>
    <affects base="0.9.8" version="0.9.8o"/>
    <affects base="0.9.8" version="0.9.8p"/>
    <affects base="0.9.8" version="0.9.8q"/>
    <affects base="0.9.8" version="0.9.8r"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <affects base="1.0.1" version="1.0.1k"/>
    <affects base="1.0.1" version="1.0.1l"/>
    <affects base="1.0.1" version="1.0.1m"/>
    <affects base="1.0.2" version="1.0.2"/>
    <affects base="1.0.2" version="1.0.2a"/>
    <fixed base="1.0.2" version="1.0.2b" date="20150611"/>
    <fixed base="1.0.1" version="1.0.1n" date="20150611"/>
    <fixed base="1.0.0" version="1.0.0e" date="20110906"/>
    <fixed base="0.9.8" version="0.9.8s" date="20120104"/>

    <description>
      When processing an ECParameters structure OpenSSL enters an infinite loop if
      the curve specified is over a specially malformed binary polynomial field.

      This can be used to perform denial of service against any
      system which processes public keys, certificate requests or
      certificates.  This includes TLS clients and TLS servers with
      client authentication enabled.
    </description>
    <advisory url="/news/secadv/20150611.txt"/>
    <reported source="Joseph Birr-Pixton" date="20150406"/>
  </issue>

  <issue public="20150611">
    <cve name="2015-1789"/>
    <impact severity="Moderate"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <affects base="0.9.8" version="0.9.8m"/>
    <affects base="0.9.8" version="0.9.8n"/>
    <affects base="0.9.8" version="0.9.8o"/>
    <affects base="0.9.8" version="0.9.8p"/>
    <affects base="0.9.8" version="0.9.8q"/>
    <affects base="0.9.8" version="0.9.8r"/>
    <affects base="0.9.8" version="0.9.8s"/>
    <affects base="0.9.8" version="0.9.8t"/>
    <affects base="0.9.8" version="0.9.8u"/>
    <affects base="0.9.8" version="0.9.8v"/>
    <affects base="0.9.8" version="0.9.8w"/>
    <affects base="0.9.8" version="0.9.8x"/>
    <affects base="0.9.8" version="0.9.8y"/>
    <affects base="0.9.8" version="0.9.8za"/>
    <affects base="0.9.8" version="0.9.8zb"/>
    <affects base="0.9.8" version="0.9.8zc"/>
    <affects base="0.9.8" version="0.9.8zd"/>
    <affects base="0.9.8" version="0.9.8ze"/>
    <affects base="0.9.8" version="0.9.8zf"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <affects base="1.0.0" version="1.0.0e"/>
    <affects base="1.0.0" version="1.0.0f"/>
    <affects base="1.0.0" version="1.0.0g"/>
    <affects base="1.0.0" version="1.0.0i"/>
    <affects base="1.0.0" version="1.0.0j"/>
    <affects base="1.0.0" version="1.0.0k"/>
    <affects base="1.0.0" version="1.0.0l"/>
    <affects base="1.0.0" version="1.0.0m"/>
    <affects base="1.0.0" version="1.0.0n"/>
    <affects base="1.0.0" version="1.0.0o"/>
    <affects base="1.0.0" version="1.0.0p"/>
    <affects base="1.0.0" version="1.0.0q"/>
    <affects base="1.0.0" version="1.0.0r"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <affects base="1.0.1" version="1.0.1k"/>
    <affects base="1.0.1" version="1.0.1l"/>
    <affects base="1.0.1" version="1.0.1m"/>
    <affects base="1.0.2" version="1.0.2"/>
    <affects base="1.0.2" version="1.0.2a"/>
    <fixed base="1.0.2" version="1.0.2b" date="20150611"/>
    <fixed base="1.0.1" version="1.0.1n" date="20150611"/>
    <fixed base="1.0.0" version="1.0.0s" date="20150611"/>
    <fixed base="0.9.8" version="0.9.8zg" date="20150611"/>

    <description>
      X509_cmp_time does not properly check the length of the ASN1_TIME
      string and can read a few bytes out of bounds. In addition,
      X509_cmp_time accepts an arbitrary number of fractional seconds in the
      time string.

      An attacker can use this to craft malformed certificates and CRLs of
      various sizes and potentially cause a segmentation fault, resulting in
      a DoS on applications that verify certificates or CRLs. TLS clients
      that verify CRLs are affected. TLS clients and servers with client
      authentication enabled may be affected if they use custom verification
      callbacks.
    </description>
    <advisory url="/news/secadv/20150611.txt"/>
    <reported source="Robert Święcki (Google Security Team)" date="20150408"/>
    <reported source="Hanno Böck" date="20150411"/>    
  </issue>

  <issue public="20150611">
    <cve name="2015-1790"/>
    <impact severity="Moderate"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <affects base="0.9.8" version="0.9.8m"/>
    <affects base="0.9.8" version="0.9.8n"/>
    <affects base="0.9.8" version="0.9.8o"/>
    <affects base="0.9.8" version="0.9.8p"/>
    <affects base="0.9.8" version="0.9.8q"/>
    <affects base="0.9.8" version="0.9.8r"/>
    <affects base="0.9.8" version="0.9.8s"/>
    <affects base="0.9.8" version="0.9.8t"/>
    <affects base="0.9.8" version="0.9.8u"/>
    <affects base="0.9.8" version="0.9.8v"/>
    <affects base="0.9.8" version="0.9.8w"/>
    <affects base="0.9.8" version="0.9.8x"/>
    <affects base="0.9.8" version="0.9.8y"/>
    <affects base="0.9.8" version="0.9.8za"/>
    <affects base="0.9.8" version="0.9.8zb"/>
    <affects base="0.9.8" version="0.9.8zc"/>
    <affects base="0.9.8" version="0.9.8zd"/>
    <affects base="0.9.8" version="0.9.8ze"/>
    <affects base="0.9.8" version="0.9.8zf"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <affects base="1.0.0" version="1.0.0e"/>
    <affects base="1.0.0" version="1.0.0f"/>
    <affects base="1.0.0" version="1.0.0g"/>
    <affects base="1.0.0" version="1.0.0i"/>
    <affects base="1.0.0" version="1.0.0j"/>
    <affects base="1.0.0" version="1.0.0k"/>
    <affects base="1.0.0" version="1.0.0l"/>
    <affects base="1.0.0" version="1.0.0m"/>
    <affects base="1.0.0" version="1.0.0n"/>
    <affects base="1.0.0" version="1.0.0o"/>
    <affects base="1.0.0" version="1.0.0p"/>
    <affects base="1.0.0" version="1.0.0q"/>
    <affects base="1.0.0" version="1.0.0r"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <affects base="1.0.1" version="1.0.1k"/>
    <affects base="1.0.1" version="1.0.1l"/>
    <affects base="1.0.1" version="1.0.1m"/>
    <affects base="1.0.2" version="1.0.2"/>
    <affects base="1.0.2" version="1.0.2a"/>
    <fixed base="1.0.2" version="1.0.2b" date="20150611"/>
    <fixed base="1.0.1" version="1.0.1n" date="20150611"/>
    <fixed base="1.0.0" version="1.0.0s" date="20150611"/>
    <fixed base="0.9.8" version="0.9.8zg" date="20150611"/>

    <description>
      The PKCS#7 parsing code does not handle missing inner EncryptedContent
      correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
      with missing content and trigger a NULL pointer dereference on parsing.

      Applications that decrypt PKCS#7 data or otherwise parse PKCS#7
      structures from untrusted sources are affected. OpenSSL clients and
      servers are not affected.
    </description>
    <advisory url="/news/secadv/20150611.txt"/>
    <reported source="Michal Zalewski (Google)" date="20150418"/>
  </issue>

  <issue public="20150611">
    <cve name="2015-1792"/>
    <impact severity="Moderate"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <affects base="0.9.8" version="0.9.8m"/>
    <affects base="0.9.8" version="0.9.8n"/>
    <affects base="0.9.8" version="0.9.8o"/>
    <affects base="0.9.8" version="0.9.8p"/>
    <affects base="0.9.8" version="0.9.8q"/>
    <affects base="0.9.8" version="0.9.8r"/>
    <affects base="0.9.8" version="0.9.8s"/>
    <affects base="0.9.8" version="0.9.8t"/>
    <affects base="0.9.8" version="0.9.8u"/>
    <affects base="0.9.8" version="0.9.8v"/>
    <affects base="0.9.8" version="0.9.8w"/>
    <affects base="0.9.8" version="0.9.8x"/>
    <affects base="0.9.8" version="0.9.8y"/>
    <affects base="0.9.8" version="0.9.8za"/>
    <affects base="0.9.8" version="0.9.8zb"/>
    <affects base="0.9.8" version="0.9.8zc"/>
    <affects base="0.9.8" version="0.9.8zd"/>
    <affects base="0.9.8" version="0.9.8ze"/>
    <affects base="0.9.8" version="0.9.8zf"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <affects base="1.0.0" version="1.0.0e"/>
    <affects base="1.0.0" version="1.0.0f"/>
    <affects base="1.0.0" version="1.0.0g"/>
    <affects base="1.0.0" version="1.0.0i"/>
    <affects base="1.0.0" version="1.0.0j"/>
    <affects base="1.0.0" version="1.0.0k"/>
    <affects base="1.0.0" version="1.0.0l"/>
    <affects base="1.0.0" version="1.0.0m"/>
    <affects base="1.0.0" version="1.0.0n"/>
    <affects base="1.0.0" version="1.0.0o"/>
    <affects base="1.0.0" version="1.0.0p"/>
    <affects base="1.0.0" version="1.0.0q"/>
    <affects base="1.0.0" version="1.0.0r"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <affects base="1.0.1" version="1.0.1k"/>
    <affects base="1.0.1" version="1.0.1l"/>
    <affects base="1.0.1" version="1.0.1m"/>
    <affects base="1.0.2" version="1.0.2"/>
    <affects base="1.0.2" version="1.0.2a"/>
    <fixed base="1.0.2" version="1.0.2b" date="20150611"/>
    <fixed base="1.0.1" version="1.0.1n" date="20150611"/>
    <fixed base="1.0.0" version="1.0.0s" date="20150611"/>
    <fixed base="0.9.8" version="0.9.8zg" date="20150611"/>

    <description>
      When verifying a signedData message the CMS code can enter an infinite loop
      if presented with an unknown hash function OID.

      This can be used to perform denial of service against any system which
      verifies signedData messages using the CMS code.
    </description>
    <advisory url="/news/secadv/20150611.txt"/>
    <reported source="Johannes Bauer" date="20150331"/>
  </issue>

  <issue public="20150602">
    <cve name="2015-1791"/>
    <impact severity="Low"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <affects base="0.9.8" version="0.9.8m"/>
    <affects base="0.9.8" version="0.9.8n"/>
    <affects base="0.9.8" version="0.9.8o"/>
    <affects base="0.9.8" version="0.9.8p"/>
    <affects base="0.9.8" version="0.9.8q"/>
    <affects base="0.9.8" version="0.9.8r"/>
    <affects base="0.9.8" version="0.9.8s"/>
    <affects base="0.9.8" version="0.9.8t"/>
    <affects base="0.9.8" version="0.9.8u"/>
    <affects base="0.9.8" version="0.9.8v"/>
    <affects base="0.9.8" version="0.9.8w"/>
    <affects base="0.9.8" version="0.9.8x"/>
    <affects base="0.9.8" version="0.9.8y"/>
    <affects base="0.9.8" version="0.9.8za"/>
    <affects base="0.9.8" version="0.9.8zb"/>
    <affects base="0.9.8" version="0.9.8zc"/>
    <affects base="0.9.8" version="0.9.8zd"/>
    <affects base="0.9.8" version="0.9.8ze"/>
    <affects base="0.9.8" version="0.9.8zf"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <affects base="1.0.0" version="1.0.0e"/>
    <affects base="1.0.0" version="1.0.0f"/>
    <affects base="1.0.0" version="1.0.0g"/>
    <affects base="1.0.0" version="1.0.0i"/>
    <affects base="1.0.0" version="1.0.0j"/>
    <affects base="1.0.0" version="1.0.0k"/>
    <affects base="1.0.0" version="1.0.0l"/>
    <affects base="1.0.0" version="1.0.0m"/>
    <affects base="1.0.0" version="1.0.0n"/>
    <affects base="1.0.0" version="1.0.0o"/>
    <affects base="1.0.0" version="1.0.0p"/>
    <affects base="1.0.0" version="1.0.0q"/>
    <affects base="1.0.0" version="1.0.0r"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <affects base="1.0.1" version="1.0.1k"/>
    <affects base="1.0.1" version="1.0.1l"/>
    <affects base="1.0.1" version="1.0.1m"/>
    <affects base="1.0.2" version="1.0.2"/>
    <affects base="1.0.2" version="1.0.2a"/>
    <fixed base="1.0.2" version="1.0.2b" date="20150611"/>
    <fixed base="1.0.1" version="1.0.1n" date="20150611"/>
    <fixed base="1.0.0" version="1.0.0s" date="20150611"/>
    <fixed base="0.9.8" version="0.9.8zg" date="20150611"/>

    <description>
      If a NewSessionTicket is received by a multi-threaded client when attempting to
      reuse a previous ticket then a race condition can occur potentially leading to
      a double free of the ticket data.
    </description>
    <advisory url="/news/secadv/20150611.txt"/>
    <reported source="Emilia Käsper (OpenSSL)"/>
  </issue>

  <issue public="20150611">
    <cve name="2014-8176"/>
    <impact severity="Moderate"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <affects base="0.9.8" version="0.9.8m"/>
    <affects base="0.9.8" version="0.9.8n"/>
    <affects base="0.9.8" version="0.9.8o"/>
    <affects base="0.9.8" version="0.9.8p"/>
    <affects base="0.9.8" version="0.9.8q"/>
    <affects base="0.9.8" version="0.9.8r"/>
    <affects base="0.9.8" version="0.9.8s"/>
    <affects base="0.9.8" version="0.9.8t"/>
    <affects base="0.9.8" version="0.9.8u"/>
    <affects base="0.9.8" version="0.9.8v"/>
    <affects base="0.9.8" version="0.9.8w"/>
    <affects base="0.9.8" version="0.9.8x"/>
    <affects base="0.9.8" version="0.9.8y"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <affects base="1.0.0" version="1.0.0e"/>
    <affects base="1.0.0" version="1.0.0f"/>
    <affects base="1.0.0" version="1.0.0g"/>
    <affects base="1.0.0" version="1.0.0i"/>
    <affects base="1.0.0" version="1.0.0j"/>
    <affects base="1.0.0" version="1.0.0k"/>
    <affects base="1.0.0" version="1.0.0l"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <fixed base="1.0.1" version="1.0.1h" date="20140605"/>
    <fixed base="1.0.0" version="1.0.0m" date="20140605"/>
    <fixed base="0.9.8" version="0.9.8za" date="20140605"/>
    <description>
      This vulnerability does not affect current versions of OpenSSL. It
      existed in previous OpenSSL versions and was fixed in June 2014.

      If a DTLS peer receives application data between the ChangeCipherSpec
      and Finished messages, buffering of such data may cause an invalid
      free, resulting in a segmentation fault or potentially, memory
      corruption.
    </description>
    <advisory url="/news/secadv/20150611.txt"/>
    <reported source="Praveen Kariyanahalli, and subsequently by Ivan Fratric and Felix Groebert (Google)" date="20140328"/>
  </issue>
  <issue public="20150319">
    <impact severity="High"/>
    <cve name="2015-0291"/>
    <affects base="1.0.2" version="1.0.2"/>
    <fixed base="1.0.2" version="1.0.2a" date="20150319"/>

    <description>
ClientHello sigalgs DoS.  If a client connects to an OpenSSL 1.0.2 server and renegotiates with an
invalid signature algorithms extension a NULL pointer dereference will occur.
This can be exploited in a DoS attack against the server.
    </description>
    <advisory url="/news/secadv/20150319.txt"/>
    <reported source=" David Ramos (Stanford University)" date="20150226"/>
  </issue>

  <issue public="20150319">
    <cve name="2015-0290"/>
    <impact severity="Moderate"/>
    <affects base="1.0.2" version="1.0.2"/>
    <fixed base="1.0.2" version="1.0.2a" date="20150319"/>

    <description>
Multiblock corrupted pointer.
OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This feature
only applies on 64 bit x86 architecture platforms that support AES NI
instructions. A defect in the implementation of "multiblock" can cause OpenSSL's
internal write buffer to become incorrectly set to NULL when using non-blocking
IO. Typically, when the user application is using a socket BIO for writing, this
will only result in a failed connection. However if some other BIO is used then
it is likely that a segmentation fault will be triggered, thus enabling a
potential DoS attack.
    </description>
    <advisory url="/news/secadv/20150319.txt"/>
    <reported source="Daniel Danner and Rainer Mueller" date="20150213"/>
  </issue>

  <issue public="20150319">
    <cve name="2015-0207"/>
    <impact severity="Moderate"/>
    <affects base="1.0.2" version="1.0.2"/>
    <fixed base="1.0.2" version="1.0.2a" date="20150319"/>

    <description>
Segmentation fault in DTLSv1_listen. 
A defect in the implementation of DTLSv1_listen means that state is preserved in
the SSL object from one invocation to the next that can lead to a segmentation
fault. Errors processing the initial ClientHello can trigger this scenario. An
example of such an error could be that a DTLS1.0 only client is attempting to
connect to a DTLS1.2 only server.
    </description>
    <advisory url="/news/secadv/20150319.txt"/>
    <reported source="Per Allansson" date="20150127"/>
  </issue>

  <issue public="20150319">
    <cve name="2015-0286"/>
    <impact severity="Moderate"/>
    <affects base="0.9.8" version="0.9.8zd"/>
    <affects base="0.9.8" version="0.9.8ze"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <affects base="1.0.0" version="1.0.0e"/>
    <affects base="1.0.0" version="1.0.0f"/>
    <affects base="1.0.0" version="1.0.0g"/>
    <affects base="1.0.0" version="1.0.0i"/>
    <affects base="1.0.0" version="1.0.0j"/>
    <affects base="1.0.0" version="1.0.0k"/>
    <affects base="1.0.0" version="1.0.0l"/>
    <affects base="1.0.0" version="1.0.0m"/>
    <affects base="1.0.0" version="1.0.0n"/>
    <affects base="1.0.0" version="1.0.0o"/>
    <affects base="1.0.0" version="1.0.0p"/>
    <affects base="1.0.0" version="1.0.0q"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <affects base="1.0.1" version="1.0.1k"/>
    <affects base="1.0.1" version="1.0.1l"/>
    <affects base="1.0.2" version="1.0.2"/>
    <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
    <fixed base="1.0.1" version="1.0.1m" date="20150319"/>
    <fixed base="1.0.0" version="1.0.0r" date="20150319"/>
    <fixed base="0.9.8" version="0.9.8zf" date="20150319"/>

    <description>
Segmentation fault in ASN1_TYPE_cmp.
The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is
made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check
certificate signature algorithm consistency this can be used to crash any
certificate verification operation and exploited in a DoS attack. Any
application which performs certificate verification is vulnerable including
OpenSSL clients and servers which enable client authentication.
    </description>
    <advisory url="/news/secadv/20150319.txt"/>
    <reported source="Stephen Henson (OpenSSL development team)"/>
  </issue>

  <issue public="20150319">
    <cve name="2015-0208"/>
    <impact severity="Moderate"/>
    <affects base="1.0.2" version="1.0.2"/>
    <fixed base="1.0.2" version="1.0.2a" date="20150319"/>

    <description>
Segmentation fault for invalid PSS parameters.
The signature verification routines will crash with a NULL pointer
dereference if presented with an ASN.1 signature using the RSA PSS
algorithm and invalid parameters. Since these routines are used to verify
certificate signature algorithms this can be used to crash any
certificate verification operation and exploited in a DoS attack. Any
application which performs certificate verification is vulnerable including
OpenSSL clients and servers which enable client authentication.
    </description>
    <advisory url="/news/secadv/20150319.txt"/>
    <reported source="Brian Carpenter" date="20150131"/>
  </issue>

  <issue public="20150319">
    <cve name="2015-0287"/>
    <impact severity="Moderate"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <affects base="0.9.8" version="0.9.8m"/>
    <affects base="0.9.8" version="0.9.8n"/>
    <affects base="0.9.8" version="0.9.8o"/>
    <affects base="0.9.8" version="0.9.8p"/>
    <affects base="0.9.8" version="0.9.8q"/>
    <affects base="0.9.8" version="0.9.8r"/>
    <affects base="0.9.8" version="0.9.8s"/>
    <affects base="0.9.8" version="0.9.8t"/>
    <affects base="0.9.8" version="0.9.8u"/>
    <affects base="0.9.8" version="0.9.8v"/>
    <affects base="0.9.8" version="0.9.8w"/>
    <affects base="0.9.8" version="0.9.8x"/>
    <affects base="0.9.8" version="0.9.8y"/>
    <affects base="0.9.8" version="0.9.8za"/>
    <affects base="0.9.8" version="0.9.8zb"/>
    <affects base="0.9.8" version="0.9.8zc"/>
    <affects base="0.9.8" version="0.9.8zd"/>
    <affects base="0.9.8" version="0.9.8ze"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <affects base="1.0.0" version="1.0.0e"/>
    <affects base="1.0.0" version="1.0.0f"/>
    <affects base="1.0.0" version="1.0.0g"/>
    <affects base="1.0.0" version="1.0.0i"/>
    <affects base="1.0.0" version="1.0.0j"/>
    <affects base="1.0.0" version="1.0.0k"/>
    <affects base="1.0.0" version="1.0.0l"/>
    <affects base="1.0.0" version="1.0.0m"/>
    <affects base="1.0.0" version="1.0.0n"/>
    <affects base="1.0.0" version="1.0.0o"/>
    <affects base="1.0.0" version="1.0.0p"/>
    <affects base="1.0.0" version="1.0.0q"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <affects base="1.0.1" version="1.0.1k"/>
    <affects base="1.0.1" version="1.0.1l"/>
    <affects base="1.0.2" version="1.0.2"/>
    <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
    <fixed base="1.0.1" version="1.0.1m" date="20150319"/>
    <fixed base="1.0.0" version="1.0.0r" date="20150319"/>
    <fixed base="0.9.8" version="0.9.8zf" date="20150319"/>

    <description>
ASN.1 structure reuse memory corruption.
Reusing a structure in ASN.1 parsing may allow an attacker to cause
memory corruption via an invalid write. Such reuse is and has been
strongly discouraged and is believed to be rare.
    </description>
    <advisory url="/news/secadv/20150319.txt"/>
    <reported source="Emilia Käsper (OpenSSL development team)"/>
  </issue>

  <issue public="20150319">
    <cve name="2015-0289"/>
    <impact severity="Moderate"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <affects base="0.9.8" version="0.9.8m"/>
    <affects base="0.9.8" version="0.9.8n"/>
    <affects base="0.9.8" version="0.9.8o"/>
    <affects base="0.9.8" version="0.9.8p"/>
    <affects base="0.9.8" version="0.9.8q"/>
    <affects base="0.9.8" version="0.9.8r"/>
    <affects base="0.9.8" version="0.9.8s"/>
    <affects base="0.9.8" version="0.9.8t"/>
    <affects base="0.9.8" version="0.9.8u"/>
    <affects base="0.9.8" version="0.9.8v"/>
    <affects base="0.9.8" version="0.9.8w"/>
    <affects base="0.9.8" version="0.9.8x"/>
    <affects base="0.9.8" version="0.9.8y"/>
    <affects base="0.9.8" version="0.9.8za"/>
    <affects base="0.9.8" version="0.9.8zb"/>
    <affects base="0.9.8" version="0.9.8zc"/>
    <affects base="0.9.8" version="0.9.8zd"/>
    <affects base="0.9.8" version="0.9.8ze"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <affects base="1.0.0" version="1.0.0e"/>
    <affects base="1.0.0" version="1.0.0f"/>
    <affects base="1.0.0" version="1.0.0g"/>
    <affects base="1.0.0" version="1.0.0i"/>
    <affects base="1.0.0" version="1.0.0j"/>
    <affects base="1.0.0" version="1.0.0k"/>
    <affects base="1.0.0" version="1.0.0l"/>
    <affects base="1.0.0" version="1.0.0m"/>
    <affects base="1.0.0" version="1.0.0n"/>
    <affects base="1.0.0" version="1.0.0o"/>
    <affects base="1.0.0" version="1.0.0p"/>
    <affects base="1.0.0" version="1.0.0q"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <affects base="1.0.1" version="1.0.1k"/>
    <affects base="1.0.1" version="1.0.1l"/>
    <affects base="1.0.2" version="1.0.2"/>
    <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
    <fixed base="1.0.1" version="1.0.1m" date="20150319"/>
    <fixed base="1.0.0" version="1.0.0r" date="20150319"/>
    <fixed base="0.9.8" version="0.9.8zf" date="20150319"/>

    <description>
PKCS#7 NULL pointer dereference.
The PKCS#7 parsing code does not handle missing outer ContentInfo correctly.
An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
missing content and trigger a NULL pointer dereference on parsing.
Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or
otherwise parse PKCS#7 structures from untrusted sources are
affected. OpenSSL clients and servers are not affected.
    </description>
    <advisory url="/news/secadv/20150319.txt"/>
    <reported source="Michal Zalewski (Google)" date="20150216"/>
  </issue>

  <issue public="20150319">
    <cve name="2015-0292"/>
    <impact severity="Moderate"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <affects base="0.9.8" version="0.9.8m"/>
    <affects base="0.9.8" version="0.9.8n"/>
    <affects base="0.9.8" version="0.9.8o"/>
    <affects base="0.9.8" version="0.9.8p"/>
    <affects base="0.9.8" version="0.9.8q"/>
    <affects base="0.9.8" version="0.9.8r"/>
    <affects base="0.9.8" version="0.9.8s"/>
    <affects base="0.9.8" version="0.9.8t"/>
    <affects base="0.9.8" version="0.9.8u"/>
    <affects base="0.9.8" version="0.9.8v"/>
    <affects base="0.9.8" version="0.9.8w"/>
    <affects base="0.9.8" version="0.9.8x"/>
    <affects base="0.9.8" version="0.9.8y"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <affects base="1.0.0" version="1.0.0e"/>
    <affects base="1.0.0" version="1.0.0f"/>
    <affects base="1.0.0" version="1.0.0g"/>
    <affects base="1.0.0" version="1.0.0i"/>
    <affects base="1.0.0" version="1.0.0j"/>
    <affects base="1.0.0" version="1.0.0k"/>
    <affects base="1.0.0" version="1.0.0l"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <fixed base="1.0.1" version="1.0.1h" date="20140605"/>
    <fixed base="1.0.0" version="1.0.0m" date="20140605"/>
    <fixed base="0.9.8" version="0.9.8za" date="20140605"/>

    <description>
A vulnerability existed in previous versions of OpenSSL related to the
processing of base64 encoded data. Any code path that reads base64 data from an
untrusted source could be affected (such as the PEM processing routines).
Maliciously crafted base 64 data could trigger a segmenation fault or memory
corruption. 
    </description>
    <advisory url="/news/secadv/20150319.txt"/>
    <reported source="Robert Dugal, also David Ramos, also Huzaifa Sidhpurwala (Red Hat)"/>
  </issue>

  <issue public="20150319">
    <cve name="2015-0293"/>
    <impact severity="Moderate"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <affects base="0.9.8" version="0.9.8m"/>
    <affects base="0.9.8" version="0.9.8n"/>
    <affects base="0.9.8" version="0.9.8o"/>
    <affects base="0.9.8" version="0.9.8p"/>
    <affects base="0.9.8" version="0.9.8q"/>
    <affects base="0.9.8" version="0.9.8r"/>
    <affects base="0.9.8" version="0.9.8s"/>
    <affects base="0.9.8" version="0.9.8t"/>
    <affects base="0.9.8" version="0.9.8u"/>
    <affects base="0.9.8" version="0.9.8v"/>
    <affects base="0.9.8" version="0.9.8w"/>
    <affects base="0.9.8" version="0.9.8x"/>
    <affects base="0.9.8" version="0.9.8y"/>
    <affects base="0.9.8" version="0.9.8za"/>
    <affects base="0.9.8" version="0.9.8zb"/>
    <affects base="0.9.8" version="0.9.8zc"/>
    <affects base="0.9.8" version="0.9.8zd"/>
    <affects base="0.9.8" version="0.9.8ze"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <affects base="1.0.0" version="1.0.0e"/>
    <affects base="1.0.0" version="1.0.0f"/>
    <affects base="1.0.0" version="1.0.0g"/>
    <affects base="1.0.0" version="1.0.0i"/>
    <affects base="1.0.0" version="1.0.0j"/>
    <affects base="1.0.0" version="1.0.0k"/>
    <affects base="1.0.0" version="1.0.0l"/>
    <affects base="1.0.0" version="1.0.0m"/>
    <affects base="1.0.0" version="1.0.0n"/>
    <affects base="1.0.0" version="1.0.0o"/>
    <affects base="1.0.0" version="1.0.0p"/>
    <affects base="1.0.0" version="1.0.0q"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <affects base="1.0.1" version="1.0.1k"/>
    <affects base="1.0.1" version="1.0.1l"/>
    <affects base="1.0.2" version="1.0.2"/>
    <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
    <fixed base="1.0.1" version="1.0.1m" date="20150319"/>
    <fixed base="1.0.0" version="1.0.0r" date="20150319"/>
    <fixed base="0.9.8" version="0.9.8zf" date="20150319"/>

    <description>
DoS via reachable assert in SSLv2 servers.
A malicious client can trigger an OPENSSL_assert in
servers that both support SSLv2 and enable export cipher suites by sending
a specially crafted SSLv2 CLIENT-MASTER-KEY message.
    </description>
    <advisory url="/news/secadv/20150319.txt"/>
    <reported source="Sean Burford (Google) and Emilia Käsper (OpenSSL development team)"/>
  </issue>

  <issue public="20150319">
    <impact severity="Moderate"/>
    <cve name="2015-1787"/>
    <affects base="1.0.2" version="1.0.2"/>
    <fixed base="1.0.2" version="1.0.2a" date="20150319"/>

    <description>
Empty CKE with client auth and DHE.
If client auth is used then a server can seg fault in the event of a DHE
ciphersuite being selected and a zero length ClientKeyExchange message being
sent by the client. This could be exploited in a DoS attack.
    </description>
    <advisory url="/news/secadv/20150319.txt"/>
    <reported source="Matt Caswell (OpenSSL development team)"/>
  </issue>

  <issue public="20150310">
    <impact severity="Low"/>
    <cve name="2015-0285"/>
    <affects base="1.0.2" version="1.0.2"/>
    <fixed base="1.0.2" version="1.0.2a" date="20150319"/>

    <description>
Under certain conditions an OpenSSL 1.0.2 client can complete a handshake with
an unseeded PRNG. If the handshake succeeds then the client random that has been used will have
been generated from a PRNG with insufficient entropy and therefore the output
may be predictable.
    </description>
    <advisory url="/news/secadv/20150319.txt"/>
    <reported source="Matt Caswell (OpenSSL development team)"/>
  </issue>

  <issue public="20150319">
    <impact severity="Low"/>
    <cve name="2015-0209"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <affects base="0.9.8" version="0.9.8m"/>
    <affects base="0.9.8" version="0.9.8n"/>
    <affects base="0.9.8" version="0.9.8o"/>
    <affects base="0.9.8" version="0.9.8p"/>
    <affects base="0.9.8" version="0.9.8q"/>
    <affects base="0.9.8" version="0.9.8r"/>
    <affects base="0.9.8" version="0.9.8s"/>
    <affects base="0.9.8" version="0.9.8t"/>
    <affects base="0.9.8" version="0.9.8u"/>
    <affects base="0.9.8" version="0.9.8v"/>
    <affects base="0.9.8" version="0.9.8w"/>
    <affects base="0.9.8" version="0.9.8x"/>
    <affects base="0.9.8" version="0.9.8y"/>
    <affects base="0.9.8" version="0.9.8za"/>
    <affects base="0.9.8" version="0.9.8zb"/>
    <affects base="0.9.8" version="0.9.8zc"/>
    <affects base="0.9.8" version="0.9.8zd"/>
    <affects base="0.9.8" version="0.9.8ze"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <affects base="1.0.0" version="1.0.0e"/>
    <affects base="1.0.0" version="1.0.0f"/>
    <affects base="1.0.0" version="1.0.0g"/>
    <affects base="1.0.0" version="1.0.0i"/>
    <affects base="1.0.0" version="1.0.0j"/>
    <affects base="1.0.0" version="1.0.0k"/>
    <affects base="1.0.0" version="1.0.0l"/>
    <affects base="1.0.0" version="1.0.0m"/>
    <affects base="1.0.0" version="1.0.0n"/>
    <affects base="1.0.0" version="1.0.0o"/>
    <affects base="1.0.0" version="1.0.0p"/>
    <affects base="1.0.0" version="1.0.0q"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <affects base="1.0.1" version="1.0.1k"/>
    <affects base="1.0.1" version="1.0.1l"/>
    <affects base="1.0.2" version="1.0.2"/>
    <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
    <fixed base="1.0.1" version="1.0.1m" date="20150319"/>
    <fixed base="1.0.0" version="1.0.0r" date="20150319"/>
    <fixed base="0.9.8" version="0.9.8zf" date="20150319"/>

    <description>
Use After Free following d2i_ECPrivatekey error.
A malformed EC private key file consumed via the d2i_ECPrivateKey function could
cause a use after free condition. This, in turn, could cause a double
free in several private key parsing functions (such as d2i_PrivateKey
or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
for applications that receive EC private keys from untrusted
sources. This scenario is considered rare.
    </description>
    <advisory url="/news/secadv/20150319.txt"/>
    <reported source="The BoringSSL project"/>
  </issue>

  <issue public="20150302">
    <cve name="2015-0288"/>
    <impact severity="Low"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <affects base="0.9.8" version="0.9.8m"/>
    <affects base="0.9.8" version="0.9.8n"/>
    <affects base="0.9.8" version="0.9.8o"/>
    <affects base="0.9.8" version="0.9.8p"/>
    <affects base="0.9.8" version="0.9.8q"/>
    <affects base="0.9.8" version="0.9.8r"/>
    <affects base="0.9.8" version="0.9.8s"/>
    <affects base="0.9.8" version="0.9.8t"/>
    <affects base="0.9.8" version="0.9.8u"/>
    <affects base="0.9.8" version="0.9.8v"/>
    <affects base="0.9.8" version="0.9.8w"/>
    <affects base="0.9.8" version="0.9.8x"/>
    <affects base="0.9.8" version="0.9.8y"/>
    <affects base="0.9.8" version="0.9.8za"/>
    <affects base="0.9.8" version="0.9.8zb"/>
    <affects base="0.9.8" version="0.9.8zc"/>
    <affects base="0.9.8" version="0.9.8zd"/>
    <affects base="0.9.8" version="0.9.8ze"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <affects base="1.0.0" version="1.0.0e"/>
    <affects base="1.0.0" version="1.0.0f"/>
    <affects base="1.0.0" version="1.0.0g"/>
    <affects base="1.0.0" version="1.0.0i"/>
    <affects base="1.0.0" version="1.0.0j"/>
    <affects base="1.0.0" version="1.0.0k"/>
    <affects base="1.0.0" version="1.0.0l"/>
    <affects base="1.0.0" version="1.0.0m"/>
    <affects base="1.0.0" version="1.0.0n"/>
    <affects base="1.0.0" version="1.0.0o"/>
    <affects base="1.0.0" version="1.0.0p"/>
    <affects base="1.0.0" version="1.0.0q"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <affects base="1.0.1" version="1.0.1k"/>
    <affects base="1.0.1" version="1.0.1l"/>
    <affects base="1.0.2" version="1.0.2"/>
    <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
    <fixed base="1.0.1" version="1.0.1m" date="20150319"/>
    <fixed base="1.0.0" version="1.0.0r" date="20150319"/>
    <fixed base="0.9.8" version="0.9.8zf" date="20150319"/>

    <description>
X509_to_X509_REQ NULL pointer deref.
The function X509_to_X509_REQ will crash with a NULL pointer dereference if
the certificate key is invalid. This function is rarely used in practice.
    </description>
    <advisory url="/news/secadv/20150319.txt"/>
    <reported source="Brian Carpenter"/>
  </issue>

  <issue public="20150108">
    <cve name="2015-0206"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <affects base="1.0.0" version="1.0.0e"/>
    <affects base="1.0.0" version="1.0.0f"/>
    <affects base="1.0.0" version="1.0.0g"/>
    <affects base="1.0.0" version="1.0.0i"/>
    <affects base="1.0.0" version="1.0.0j"/>
    <affects base="1.0.0" version="1.0.0k"/>
    <affects base="1.0.0" version="1.0.0l"/>
    <affects base="1.0.0" version="1.0.0m"/>
    <affects base="1.0.0" version="1.0.0n"/>
    <affects base="1.0.0" version="1.0.0o"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <fixed base="1.0.1" version="1.0.1k" date="20150108"/>
    <fixed base="1.0.0" version="1.0.0p" date="20150108"/>

    <description>
      A memory leak can occur in the dtls1_buffer_record function under certain
      conditions. In particular this could occur if an attacker sent repeated
      DTLS records with the same sequence number but for the next epoch. The
      memory leak could be exploited by an attacker in a Denial of Service
      attack through memory exhaustion.
    </description>
    <advisory url="/news/secadv/20150108.txt"/>
    <reported source="Chris Mueller"/>
  </issue>

  <issue public="20141021">
    <cve name="2014-3569"/>
    <affects base="0.9.8" version="0.9.8zc"/>
    <affects base="1.0.0" version="1.0.0o"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <fixed base="1.0.1" version="1.0.1k" date="20150108"/>
    <fixed base="1.0.0" version="1.0.0p" date="20150108"/>
    <fixed base="0.9.8" version="0.9.8zd" date="20150108"/>

    <description>
      When openssl is built with the no-ssl3 option and a SSL v3 ClientHello is
      received the ssl method would be set to NULL which could later result in
      a NULL pointer dereference.
    </description>
    <advisory url="/news/secadv/20150108.txt"/>
    <reported source="Frank Schmirler"/>
  </issue>

  <issue public="20150105">
    <cve name="2014-3572"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <affects base="0.9.8" version="0.9.8m"/>
    <affects base="0.9.8" version="0.9.8n"/>
    <affects base="0.9.8" version="0.9.8o"/>
    <affects base="0.9.8" version="0.9.8p"/>
    <affects base="0.9.8" version="0.9.8q"/>
    <affects base="0.9.8" version="0.9.8r"/>
    <affects base="0.9.8" version="0.9.8s"/>
    <affects base="0.9.8" version="0.9.8t"/>
    <affects base="0.9.8" version="0.9.8u"/>
    <affects base="0.9.8" version="0.9.8v"/>
    <affects base="0.9.8" version="0.9.8w"/>
    <affects base="0.9.8" version="0.9.8x"/>
    <affects base="0.9.8" version="0.9.8y"/>
    <affects base="0.9.8" version="0.9.8za"/>
    <affects base="0.9.8" version="0.9.8zb"/>
    <affects base="0.9.8" version="0.9.8zc"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <affects base="1.0.0" version="1.0.0e"/>
    <affects base="1.0.0" version="1.0.0f"/>
    <affects base="1.0.0" version="1.0.0g"/>
    <affects base="1.0.0" version="1.0.0i"/>
    <affects base="1.0.0" version="1.0.0j"/>
    <affects base="1.0.0" version="1.0.0k"/>
    <affects base="1.0.0" version="1.0.0l"/>
    <affects base="1.0.0" version="1.0.0m"/>
    <affects base="1.0.0" version="1.0.0n"/>
    <affects base="1.0.0" version="1.0.0o"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <fixed base="1.0.1" version="1.0.1k" date="20150108"/>
    <fixed base="1.0.0" version="1.0.0p" date="20150108"/>
    <fixed base="0.9.8" version="0.9.8zd" date="20150108"/>

    <description>
      An OpenSSL client will accept a handshake using an ephemeral ECDH
      ciphersuite using an ECDSA certificate if the server key exchange message
      is omitted. This effectively removes forward secrecy from the ciphersuite.
    </description>
    <advisory url="/news/secadv/20150108.txt"/>
    <reported source="Karthikeyan Bhargavan of the PROSECCO team at INRIA"/>
  </issue>

  <issue public="20150106">
    <cve name="2015-0204"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <affects base="0.9.8" version="0.9.8m"/>
    <affects base="0.9.8" version="0.9.8n"/>
    <affects base="0.9.8" version="0.9.8o"/>
    <affects base="0.9.8" version="0.9.8p"/>
    <affects base="0.9.8" version="0.9.8q"/>
    <affects base="0.9.8" version="0.9.8r"/>
    <affects base="0.9.8" version="0.9.8s"/>
    <affects base="0.9.8" version="0.9.8t"/>
    <affects base="0.9.8" version="0.9.8u"/>
    <affects base="0.9.8" version="0.9.8v"/>
    <affects base="0.9.8" version="0.9.8w"/>
    <affects base="0.9.8" version="0.9.8x"/>
    <affects base="0.9.8" version="0.9.8y"/>
    <affects base="0.9.8" version="0.9.8za"/>
    <affects base="0.9.8" version="0.9.8zb"/>
    <affects base="0.9.8" version="0.9.8zc"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <affects base="1.0.0" version="1.0.0e"/>
    <affects base="1.0.0" version="1.0.0f"/>
    <affects base="1.0.0" version="1.0.0g"/>
    <affects base="1.0.0" version="1.0.0i"/>
    <affects base="1.0.0" version="1.0.0j"/>
    <affects base="1.0.0" version="1.0.0k"/>
    <affects base="1.0.0" version="1.0.0l"/>
    <affects base="1.0.0" version="1.0.0m"/>
    <affects base="1.0.0" version="1.0.0n"/>
    <affects base="1.0.0" version="1.0.0o"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <fixed base="1.0.1" version="1.0.1k" date="20150108"/>
    <fixed base="1.0.0" version="1.0.0p" date="20150108"/>
    <fixed base="0.9.8" version="0.9.8zd" date="20150108"/>

    <description>
      An OpenSSL client will accept the use of an RSA temporary key in a
      non-export RSA key exchange ciphersuite. A server could present a weak
      temporary key and downgrade the security of the session.
    </description>
    <advisory url="/news/secadv/20150108.txt"/>
    <reported source="Karthikeyan Bhargavan of the PROSECCO team at INRIA"/>
  </issue>

  <issue public="20150108">
    <cve name="2015-0205"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <affects base="1.0.0" version="1.0.0e"/>
    <affects base="1.0.0" version="1.0.0f"/>
    <affects base="1.0.0" version="1.0.0g"/>
    <affects base="1.0.0" version="1.0.0i"/>
    <affects base="1.0.0" version="1.0.0j"/>
    <affects base="1.0.0" version="1.0.0k"/>
    <affects base="1.0.0" version="1.0.0l"/>
    <affects base="1.0.0" version="1.0.0m"/>
    <affects base="1.0.0" version="1.0.0n"/>
    <affects base="1.0.0" version="1.0.0o"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <fixed base="1.0.1" version="1.0.1k" date="20150108"/>
    <fixed base="1.0.0" version="1.0.0p" date="20150108"/>

    <description>
      An OpenSSL server will accept a DH certificate for client authentication
      without the certificate verify message. This effectively allows a client
      to authenticate without the use of a private key. This only affects
      servers which trust a client certificate authority which issues
      certificates containing DH keys: these are extremely rare and hardly ever
      encountered.
    </description>
    <advisory url="/news/secadv/20150108.txt"/>
    <reported source="Karthikeyan Bhargavan of the PROSECCO team at INRIA"/>
  </issue>

  <issue public="20150105">
    <cve name="2014-8275"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <affects base="0.9.8" version="0.9.8m"/>
    <affects base="0.9.8" version="0.9.8n"/>
    <affects base="0.9.8" version="0.9.8o"/>
    <affects base="0.9.8" version="0.9.8p"/>
    <affects base="0.9.8" version="0.9.8q"/>
    <affects base="0.9.8" version="0.9.8r"/>
    <affects base="0.9.8" version="0.9.8s"/>
    <affects base="0.9.8" version="0.9.8t"/>
    <affects base="0.9.8" version="0.9.8u"/>
    <affects base="0.9.8" version="0.9.8v"/>
    <affects base="0.9.8" version="0.9.8w"/>
    <affects base="0.9.8" version="0.9.8x"/>
    <affects base="0.9.8" version="0.9.8y"/>
    <affects base="0.9.8" version="0.9.8za"/>
    <affects base="0.9.8" version="0.9.8zb"/>
    <affects base="0.9.8" version="0.9.8zc"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <affects base="1.0.0" version="1.0.0e"/>
    <affects base="1.0.0" version="1.0.0f"/>
    <affects base="1.0.0" version="1.0.0g"/>
    <affects base="1.0.0" version="1.0.0i"/>
    <affects base="1.0.0" version="1.0.0j"/>
    <affects base="1.0.0" version="1.0.0k"/>
    <affects base="1.0.0" version="1.0.0l"/>
    <affects base="1.0.0" version="1.0.0m"/>
    <affects base="1.0.0" version="1.0.0n"/>
    <affects base="1.0.0" version="1.0.0o"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <fixed base="1.0.1" version="1.0.1k" date="20150108"/>
    <fixed base="1.0.0" version="1.0.0p" date="20150108"/>
    <fixed base="0.9.8" version="0.9.8zd" date="20150108"/>

    <description>
      OpenSSL accepts several non-DER-variations of certificate signature
      algorithm and signature encodings. OpenSSL also does not enforce a
      match between the signature algorithm between the signed and unsigned
      portions of the certificate. By modifying the contents of the
      signature algorithm or the encoding of the signature, it is possible
      to change the certificate's fingerprint.

      This does not allow an attacker to forge certificates, and does not
      affect certificate verification or OpenSSL servers/clients in any other
      way. It also does not affect common revocation mechanisms. Only custom
      applications that rely on the uniqueness of the fingerprint (e.g.
      certificate blacklists) may be affected.
    </description>
    <advisory url="/news/secadv/20150108.txt"/>
    <reported source="Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS program/Konrad Kraszewski from Google"/>
  </issue>

  <issue public="20150108">
    <cve name="2014-3570"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <affects base="0.9.8" version="0.9.8m"/>
    <affects base="0.9.8" version="0.9.8n"/>
    <affects base="0.9.8" version="0.9.8o"/>
    <affects base="0.9.8" version="0.9.8p"/>
    <affects base="0.9.8" version="0.9.8q"/>
    <affects base="0.9.8" version="0.9.8r"/>
    <affects base="0.9.8" version="0.9.8s"/>
    <affects base="0.9.8" version="0.9.8t"/>
    <affects base="0.9.8" version="0.9.8u"/>
    <affects base="0.9.8" version="0.9.8v"/>
    <affects base="0.9.8" version="0.9.8w"/>
    <affects base="0.9.8" version="0.9.8x"/>
    <affects base="0.9.8" version="0.9.8y"/>
    <affects base="0.9.8" version="0.9.8za"/>
    <affects base="0.9.8" version="0.9.8zb"/>
    <affects base="0.9.8" version="0.9.8zc"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <affects base="1.0.0" version="1.0.0e"/>
    <affects base="1.0.0" version="1.0.0f"/>
    <affects base="1.0.0" version="1.0.0g"/>
    <affects base="1.0.0" version="1.0.0i"/>
    <affects base="1.0.0" version="1.0.0j"/>
    <affects base="1.0.0" version="1.0.0k"/>
    <affects base="1.0.0" version="1.0.0l"/>
    <affects base="1.0.0" version="1.0.0m"/>
    <affects base="1.0.0" version="1.0.0n"/>
    <affects base="1.0.0" version="1.0.0o"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <affects base="1.0.1" version="1.0.1j"/>
    <fixed base="1.0.1" version="1.0.1k" date="20150108"/>
    <fixed base="1.0.0" version="1.0.0p" date="20150108"/>
    <fixed base="0.9.8" version="0.9.8zd" date="20150108"/>

    <description>
      Bignum squaring (BN_sqr) may produce incorrect results on some platforms,
      including x86_64. This bug occurs at random with a very low probability,
      and is not known to be exploitable in any way, though its exact impact is
      difficult to determine. The following has been determined:

      *) The probability of BN_sqr producing an incorrect result at random is
      very low: 1/2^64 on the single affected 32-bit platform (MIPS) and 1/2^128
      on affected 64-bit platforms.
      *) On most platforms, RSA follows a different code path and RSA operations
      are not affected at all. For the remaining platforms (e.g. OpenSSL built
      without assembly support), pre-existing countermeasures thwart bug
      attacks [1].
      *) Static ECDH is theoretically affected: it is possible to construct
      elliptic curve points that would falsely appear to be on the given curve.
      However, there is no known computationally feasible way to construct such
      points with low order, and so the security of static ECDH private keys is
      believed to be unaffected.
      *) Other routines known to be theoretically affected are modular
      exponentiation, primality testing, DSA, RSA blinding, JPAKE and SRP. No
      exploits are known and straightforward bug attacks fail - either the
      attacker cannot control when the bug triggers, or no private key material
      is involved.
    </description>
    <advisory url="/news/secadv/20150108.txt"/>
    <reported source="Pieter Wuille (Blockstream)"/>
  </issue>

  <issue public="20141015">
    <cve name="2014-3513"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <fixed base="1.0.1" version="1.0.1j" date="20141015"/>
    <description>
      A flaw in the DTLS SRTP extension parsing code allows an attacker, who
      sends a carefully crafted handshake message, to cause OpenSSL to fail
      to free up to 64k of memory causing a memory leak. This could be
      exploited in a Denial Of Service attack. This issue affects OpenSSL
      1.0.1 server implementations for both SSL/TLS and DTLS regardless of
      whether SRTP is used or configured. Implementations of OpenSSL that
      have been compiled with OPENSSL_NO_SRTP defined are not affected.
    </description>
    <advisory url="/news/secadv/20141015.txt"/>
    <reported source="LibreSSL project"/>
  </issue>

  <issue public="20141015">
    <cve name="2014-3567"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <affects base="0.9.8" version="0.9.8m"/>
    <affects base="0.9.8" version="0.9.8n"/>
    <affects base="0.9.8" version="0.9.8o"/>
    <affects base="0.9.8" version="0.9.8p"/>
    <affects base="0.9.8" version="0.9.8q"/>
    <affects base="0.9.8" version="0.9.8r"/>
    <affects base="0.9.8" version="0.9.8s"/>
    <affects base="0.9.8" version="0.9.8t"/>
    <affects base="0.9.8" version="0.9.8u"/>
    <affects base="0.9.8" version="0.9.8v"/>
    <affects base="0.9.8" version="0.9.8w"/>
    <affects base="0.9.8" version="0.9.8x"/>
    <affects base="0.9.8" version="0.9.8y"/>
    <affects base="0.9.8" version="0.9.8za"/>
    <affects base="0.9.8" version="0.9.8zb"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <affects base="1.0.0" version="1.0.0e"/>
    <affects base="1.0.0" version="1.0.0f"/>
    <affects base="1.0.0" version="1.0.0g"/>
    <affects base="1.0.0" version="1.0.0i"/>
    <affects base="1.0.0" version="1.0.0j"/>
    <affects base="1.0.0" version="1.0.0k"/>
    <affects base="1.0.0" version="1.0.0l"/>
    <affects base="1.0.0" version="1.0.0m"/>
    <affects base="1.0.0" version="1.0.0n"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <fixed base="1.0.1" version="1.0.1j" date="20140806"/>
    <fixed base="1.0.0" version="1.0.0o" date="20140806"/>
    <fixed base="0.9.8" version="0.9.8zc" date="20140806"/>
    <description>
      When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
      integrity of that ticket is first verified. In the event of a session
      ticket integrity check failing, OpenSSL will fail to free memory
      causing a memory leak. By sending a large number of invalid session
      tickets an attacker could exploit this issue in a Denial Of Service
      attack.
    </description>
    <advisory url="/news/secadv/20141015.txt"/>
  </issue>
  <issue public="20141015">
    <cve name=""/>  <!-- this is deliberate -->
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <affects base="0.9.8" version="0.9.8m"/>
    <affects base="0.9.8" version="0.9.8n"/>
    <affects base="0.9.8" version="0.9.8o"/>
    <affects base="0.9.8" version="0.9.8p"/>
    <affects base="0.9.8" version="0.9.8q"/>
    <affects base="0.9.8" version="0.9.8r"/>
    <affects base="0.9.8" version="0.9.8s"/>
    <affects base="0.9.8" version="0.9.8t"/>
    <affects base="0.9.8" version="0.9.8u"/>
    <affects base="0.9.8" version="0.9.8v"/>
    <affects base="0.9.8" version="0.9.8w"/>
    <affects base="0.9.8" version="0.9.8x"/>
    <affects base="0.9.8" version="0.9.8y"/>
    <affects base="0.9.8" version="0.9.8za"/>
    <affects base="0.9.8" version="0.9.8zb"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <affects base="1.0.0" version="1.0.0e"/>
    <affects base="1.0.0" version="1.0.0f"/>
    <affects base="1.0.0" version="1.0.0g"/>
    <affects base="1.0.0" version="1.0.0i"/>
    <affects base="1.0.0" version="1.0.0j"/>
    <affects base="1.0.0" version="1.0.0k"/>
    <affects base="1.0.0" version="1.0.0l"/>
    <affects base="1.0.0" version="1.0.0m"/>
    <affects base="1.0.0" version="1.0.0n"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <fixed base="1.0.1" version="1.0.1j" date="20140806"/>
    <fixed base="1.0.0" version="1.0.0o" date="20140806"/>
    <fixed base="0.9.8" version="0.9.8zc" date="20140806"/>
    <description>
      OpenSSL has added support for TLS_FALLBACK_SCSV to allow applications
      to block the ability for a MITM attacker to force a protocol
      downgrade.
  
      Some client applications (such as browsers) will reconnect using a
      downgraded protocol to work around interoperability bugs in older
      servers. This could be exploited by an active man-in-the-middle to
      downgrade connections to SSL 3.0 even if both sides of the connection
      support higher protocols. SSL 3.0 contains a number of weaknesses
      including POODLE (CVE-2014-3566).
  
      See also
      https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00 and
      https://www.openssl.org/~bodo/ssl-poodle.pdf
    </description>
  </issue>

  <issue public="20141015">
    <cve name="2014-3568"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <affects base="0.9.8" version="0.9.8m"/>
    <affects base="0.9.8" version="0.9.8n"/>
    <affects base="0.9.8" version="0.9.8o"/>
    <affects base="0.9.8" version="0.9.8p"/>
    <affects base="0.9.8" version="0.9.8q"/>
    <affects base="0.9.8" version="0.9.8r"/>
    <affects base="0.9.8" version="0.9.8s"/>
    <affects base="0.9.8" version="0.9.8t"/>
    <affects base="0.9.8" version="0.9.8u"/>
    <affects base="0.9.8" version="0.9.8v"/>
    <affects base="0.9.8" version="0.9.8w"/>
    <affects base="0.9.8" version="0.9.8x"/>
    <affects base="0.9.8" version="0.9.8y"/>
    <affects base="0.9.8" version="0.9.8za"/>
    <affects base="0.9.8" version="0.9.8zb"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <affects base="1.0.0" version="1.0.0e"/>
    <affects base="1.0.0" version="1.0.0f"/>
    <affects base="1.0.0" version="1.0.0g"/>
    <affects base="1.0.0" version="1.0.0i"/>
    <affects base="1.0.0" version="1.0.0j"/>
    <affects base="1.0.0" version="1.0.0k"/>
    <affects base="1.0.0" version="1.0.0l"/>
    <affects base="1.0.0" version="1.0.0m"/>
    <affects base="1.0.0" version="1.0.0n"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <affects base="1.0.1" version="1.0.1i"/>
    <fixed base="1.0.1" version="1.0.1j" date="20140806"/>
    <fixed base="1.0.0" version="1.0.0o" date="20140806"/>
    <fixed base="0.9.8" version="0.9.8zc" date="20140806"/>

    <description>
      When OpenSSL is configured with "no-ssl3" as a build option, servers
      could accept and complete a SSL 3.0 handshake, and clients could be
      configured to send them.
    </description>
    <advisory url="/news/secadv/20141015.txt"/>
    <reported source="Akamai Technologies"/>
  </issue>
  <issue public="20140806">
    <cve name="2014-3508"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <affects base="0.9.8" version="0.9.8m"/>
    <affects base="0.9.8" version="0.9.8n"/>
    <affects base="0.9.8" version="0.9.8o"/>
    <affects base="0.9.8" version="0.9.8p"/>
    <affects base="0.9.8" version="0.9.8q"/>
    <affects base="0.9.8" version="0.9.8r"/>
    <affects base="0.9.8" version="0.9.8s"/>
    <affects base="0.9.8" version="0.9.8t"/>
    <affects base="0.9.8" version="0.9.8u"/>
    <affects base="0.9.8" version="0.9.8v"/>
    <affects base="0.9.8" version="0.9.8w"/>
    <affects base="0.9.8" version="0.9.8x"/>
    <affects base="0.9.8" version="0.9.8y"/>
    <affects base="0.9.8" version="0.9.8za"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <affects base="1.0.0" version="1.0.0e"/>
    <affects base="1.0.0" version="1.0.0f"/>
    <affects base="1.0.0" version="1.0.0g"/>
    <affects base="1.0.0" version="1.0.0i"/>
    <affects base="1.0.0" version="1.0.0j"/>
    <affects base="1.0.0" version="1.0.0k"/>
    <affects base="1.0.0" version="1.0.0l"/>
    <affects base="1.0.0" version="1.0.0m"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <fixed base="1.0.1" version="1.0.1i" date="20140806">
    </fixed>
    <fixed base="1.0.0" version="1.0.0n" date="20140806">
    </fixed>
    <fixed base="0.9.8" version="0.9.8zb" date="20140806">
    </fixed>
    <description>
A flaw in OBJ_obj2txt may cause pretty printing functions such as
X509_name_oneline, X509_name_print_ex, to leak some information from the
stack. Applications may be affected if they echo pretty printing output to the
attacker.  OpenSSL SSL/TLS clients and servers themselves are not affected.
    </description>
    <advisory url="/news/secadv/20140806.txt"/>
    <reported source="Ivan Fratric (Google)"/>
  </issue>

  <issue public="20140806">
    <cve name="2014-5139"/>
    <description>
A crash was found affecting SRP ciphersuites used in a Server Hello message.
The issue affects OpenSSL clients and allows a malicious server to crash
the client with a null pointer dereference (read) by specifying an SRP
ciphersuite even though it was not properly negotiated with the client. This 
could lead to a Denial of Service.
    </description>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <fixed base="1.0.1" version="1.0.1i" date="20140806">
    </fixed>
    <advisory url="/news/secadv/20140806.txt"/>
    <reported source="Joonas Kuorilehto and Riku Hietamäki (Codenomicon)"/>
  </issue>

  <issue public="20140806">
    <cve name="2014-3509"/>
    <description>A race condition was found in ssl_parse_serverhello_tlsext.
If a multithreaded client connects to a malicious server using a resumed session
and the server sends an ec point format extension, it could write up to 255 bytes
to freed memory.</description>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <affects base="1.0.0" version="1.0.0e"/>
    <affects base="1.0.0" version="1.0.0f"/>
    <affects base="1.0.0" version="1.0.0g"/>
    <affects base="1.0.0" version="1.0.0i"/>
    <affects base="1.0.0" version="1.0.0j"/>
    <affects base="1.0.0" version="1.0.0k"/>
    <affects base="1.0.0" version="1.0.0l"/>
    <affects base="1.0.0" version="1.0.0m"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <fixed base="1.0.1" version="1.0.1i" date="20140806">
    </fixed>
    <fixed base="1.0.0" version="1.0.0n" date="20140806">
    </fixed>
    <reported source="Gabor Tyukasz (LogMeIn Inc)"/>
    <advisory url="/news/secadv/20140806.txt"/>
  </issue>

  <issue public="20140806">
    <cve name="2014-3505"/>
    <affects base="0.9.8" version="0.9.8m"/>
    <affects base="0.9.8" version="0.9.8n"/>
    <affects base="0.9.8" version="0.9.8o"/>
    <affects base="0.9.8" version="0.9.8p"/>
    <affects base="0.9.8" version="0.9.8q"/>
    <affects base="0.9.8" version="0.9.8r"/>
    <affects base="0.9.8" version="0.9.8s"/>
    <affects base="0.9.8" version="0.9.8t"/>
    <affects base="0.9.8" version="0.9.8u"/>
    <affects base="0.9.8" version="0.9.8v"/>
    <affects base="0.9.8" version="0.9.8w"/>
    <affects base="0.9.8" version="0.9.8x"/>
    <affects base="0.9.8" version="0.9.8y"/>
    <affects base="0.9.8" version="0.9.8za"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <affects base="1.0.0" version="1.0.0e"/>
    <affects base="1.0.0" version="1.0.0f"/>
    <affects base="1.0.0" version="1.0.0g"/>
    <affects base="1.0.0" version="1.0.0i"/>
    <affects base="1.0.0" version="1.0.0j"/>
    <affects base="1.0.0" version="1.0.0k"/>
    <affects base="1.0.0" version="1.0.0l"/>
    <affects base="1.0.0" version="1.0.0m"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <fixed base="1.0.1" version="1.0.1i" date="20140806">
    </fixed>
    <fixed base="1.0.0" version="1.0.0n" date="20140806">
    </fixed>
    <fixed base="0.9.8" version="0.9.8zb" date="20140806">
    </fixed>
    <description>
A Double Free was found when processing DTLS packets.
An attacker can force an error condition which causes openssl to crash whilst
processing DTLS packets due to memory being freed twice. This could lead to a
Denial of Service attack.
    </description>
    <reported source="Adam Langley and Wan-Teh Chang (Google)"/>
    <advisory url="/news/secadv/20140806.txt"/>
  </issue>

  <issue public="20140806">
    <cve name="2014-3506"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <affects base="0.9.8" version="0.9.8m"/>
    <affects base="0.9.8" version="0.9.8n"/>
    <affects base="0.9.8" version="0.9.8o"/>
    <affects base="0.9.8" version="0.9.8p"/>
    <affects base="0.9.8" version="0.9.8q"/>
    <affects base="0.9.8" version="0.9.8r"/>
    <affects base="0.9.8" version="0.9.8s"/>
    <affects base="0.9.8" version="0.9.8t"/>
    <affects base="0.9.8" version="0.9.8u"/>
    <affects base="0.9.8" version="0.9.8v"/>
    <affects base="0.9.8" version="0.9.8w"/>
    <affects base="0.9.8" version="0.9.8x"/>
    <affects base="0.9.8" version="0.9.8y"/>
    <affects base="0.9.8" version="0.9.8za"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <affects base="1.0.0" version="1.0.0e"/>
    <affects base="1.0.0" version="1.0.0f"/>
    <affects base="1.0.0" version="1.0.0g"/>
    <affects base="1.0.0" version="1.0.0i"/>
    <affects base="1.0.0" version="1.0.0j"/>
    <affects base="1.0.0" version="1.0.0k"/>
    <affects base="1.0.0" version="1.0.0l"/>
    <affects base="1.0.0" version="1.0.0m"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <fixed base="1.0.1" version="1.0.1i" date="20140806">
    </fixed>
    <fixed base="1.0.0" version="1.0.0n" date="20140806">
    </fixed>
    <fixed base="0.9.8" version="0.9.8zb" date="20140806">
    </fixed>
    <description>
A DTLS flaw leading to memory exhaustion was found.
An attacker can force openssl to consume large amounts of memory whilst
processing DTLS handshake messages. This could lead to a Denial of 
Service attack.
    </description>
    <reported source="Adam Langley (Google)"/>
    <advisory url="/news/secadv/20140806.txt"/>
  </issue>

  <issue public="20140806">
    <cve name="2014-3507"/>
    <affects base="0.9.8" version="0.9.8o"/>
    <affects base="0.9.8" version="0.9.8p"/>
    <affects base="0.9.8" version="0.9.8q"/>
    <affects base="0.9.8" version="0.9.8r"/>
    <affects base="0.9.8" version="0.9.8s"/>
    <affects base="0.9.8" version="0.9.8t"/>
    <affects base="0.9.8" version="0.9.8u"/>
    <affects base="0.9.8" version="0.9.8v"/>
    <affects base="0.9.8" version="0.9.8w"/>
    <affects base="0.9.8" version="0.9.8x"/>
    <affects base="0.9.8" version="0.9.8y"/>
    <affects base="0.9.8" version="0.9.8za"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <affects base="1.0.0" version="1.0.0e"/>
    <affects base="1.0.0" version="1.0.0f"/>
    <affects base="1.0.0" version="1.0.0g"/>
    <affects base="1.0.0" version="1.0.0i"/>
    <affects base="1.0.0" version="1.0.0j"/>
    <affects base="1.0.0" version="1.0.0k"/>
    <affects base="1.0.0" version="1.0.0l"/>
    <affects base="1.0.0" version="1.0.0m"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <fixed base="1.0.1" version="1.0.1i" date="20140806">
    </fixed>
    <fixed base="1.0.0" version="1.0.0n" date="20140806">
    </fixed>
    <fixed base="0.9.8" version="0.9.8zb" date="20140806">
    </fixed>
    <description>
A DTLS memory leak from zero-length fragments was found.
By sending carefully crafted DTLS packets an attacker could cause OpenSSL to
leak memory. This could lead to a Denial of Service attack.
    </description>
    <reported source="Adam Langley (Google)"/>
    <advisory url="/news/secadv/20140806.txt"/>
  </issue>

  <issue public="20140806">
    <cve name="2014-3510"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <affects base="0.9.8" version="0.9.8m"/>
    <affects base="0.9.8" version="0.9.8n"/>
    <affects base="0.9.8" version="0.9.8o"/>
    <affects base="0.9.8" version="0.9.8p"/>
    <affects base="0.9.8" version="0.9.8q"/>
    <affects base="0.9.8" version="0.9.8r"/>
    <affects base="0.9.8" version="0.9.8s"/>
    <affects base="0.9.8" version="0.9.8t"/>
    <affects base="0.9.8" version="0.9.8u"/>
    <affects base="0.9.8" version="0.9.8v"/>
    <affects base="0.9.8" version="0.9.8w"/>
    <affects base="0.9.8" version="0.9.8x"/>
    <affects base="0.9.8" version="0.9.8y"/>
    <affects base="0.9.8" version="0.9.8za"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <affects base="1.0.0" version="1.0.0e"/>
    <affects base="1.0.0" version="1.0.0f"/>
    <affects base="1.0.0" version="1.0.0g"/>
    <affects base="1.0.0" version="1.0.0i"/>
    <affects base="1.0.0" version="1.0.0j"/>
    <affects base="1.0.0" version="1.0.0k"/>
    <affects base="1.0.0" version="1.0.0l"/>
    <affects base="1.0.0" version="1.0.0m"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <fixed base="1.0.1" version="1.0.1i" date="20140806">
    </fixed>
    <fixed base="1.0.0" version="1.0.0n" date="20140806">
    </fixed>
    <fixed base="0.9.8" version="0.9.8zb" date="20140806">
    </fixed>
    <description>
A flaw in handling DTLS anonymous EC(DH) ciphersuites was found.
OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject to a
denial of service attack. A malicious server can crash the client with a null
pointer dereference (read) by specifying an anonymous (EC)DH ciphersuite and
sending carefully crafted handshake messages.
    </description>
    <reported source="Felix Gröbert (Google)"/>
    <advisory url="/news/secadv/20140806.txt"/>
  </issue>

  <issue public="20140806">
    <cve name="2014-3511"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <fixed base="1.0.1" version="1.0.1i" date="20140806">
    </fixed>
    <description>
A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate
TLS 1.0 instead of higher protocol versions when the ClientHello message is
badly fragmented. This allows a man-in-the-middle attacker to force a
downgrade to TLS 1.0 even if both the server and the client support a higher
protocol version, by modifying the client's TLS records.
    </description>
    <reported source="David Benjamin and Adam Langley (Google)"/>
    <advisory url="/news/secadv/20140806.txt"/>
  </issue>

  <issue public="20140806">
    <cve name="2014-3512"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <affects base="1.0.1" version="1.0.1g"/>
    <affects base="1.0.1" version="1.0.1h"/>
    <fixed base="1.0.1" version="1.0.1i" date="20140806">
    </fixed>
    <description>
A SRP buffer overrun was found.
A malicious client or server can send invalid SRP parameters and overrun
an internal buffer. Only applications which are explicitly set up for SRP
use are affected.
    </description>
    <reported source="Sean Devlin and Watson Ladd (Cryptography Services, NCC Group)"/>
    <advisory url="/news/secadv/20140806.txt"/>
  </issue>

  <issue public="20020730">
    <cve name="2002-0655"/>
    <affects base="0.9.6" version="0.9.6"/>
    <affects base="0.9.6" version="0.9.6a"/>
    <affects base="0.9.6" version="0.9.6b"/>
    <affects base="0.9.6" version="0.9.6c"/>
    <affects base="0.9.6" version="0.9.6d"/>
    <fixed base="0.9.6" version="0.9.6e" date="20020730"/>
    <advisory url="/news/secadv/20020730.txt"/>
    <reported source="OpenSSL Group (A.L. Digital)"/>
    <description>
Inproper handling of ASCII representations of integers on
64 bit platforms allowed remote attackers to cause a denial of
service or possibly execute arbitrary code.
    </description>
  </issue>

  <issue public="20020730">
    <cve name="2002-0656"/>
    <affects base="0.9.6" version="0.9.6"/>
    <affects base="0.9.6" version="0.9.6a"/>
    <affects base="0.9.6" version="0.9.6b"/>
    <affects base="0.9.6" version="0.9.6c"/>
    <affects base="0.9.6" version="0.9.6d"/>
    <fixed base="0.9.6" version="0.9.6e" date="20020730"/>
    <advisory url="/news/secadv/20020730.txt"/>
    <reported source="OpenSSL Group (A.L. Digital)"/>
    <description>
A buffer overflow allowed remote attackers to execute
arbitrary code by sending a large client master key in SSL2 or a
large session ID in SSL3.
    </description>
  </issue>

  <issue public="20020730">
    <cve name="2002-0657"/>
    <advisory url="/news/secadv/20020730.txt"/>
    <affects base="0.9.7" version="0.9.7-beta3"/>    
    <fixed base="0.9.7" version="0.9.7" date="20021210"/>    
    <reported source="OpenSSL Group (A.L. Digital)"/>
    <description>
A buffer overflow when Kerberos is enabled allowed attackers
to execute arbitrary code by sending a long master key.  Note that this
flaw did not affect any released version of 0.9.6 or 0.9.7
    </description>
  </issue>

  <issue public="20020730">
    <cve name="2002-0659"/>
    <advisory url="/news/secadv/20020730.txt"/>
    <affects base="0.9.6" version="0.9.6a"/>
    <affects base="0.9.6" version="0.9.6b"/>
    <affects base="0.9.6" version="0.9.6c"/>
    <affects base="0.9.6" version="0.9.6d"/>
    <fixed base="0.9.6" version="0.9.6e" date="20020730"/>
    <description>
A flaw in the ASN1 library allowed remote attackers to cause a denial of 
service by sending invalid encodings.
    </description>
  </issue>

  <issue public="20020808">
    <cve name="2002-1568"/>
    <affects base="0.9.6" version="0.9.6e"/>
    <fixed base="0.9.6" version="0.9.6f" date="20020808">
      <git hash="517a0e7fa0f5453c860a3aec17b678bd55d5aad7"/>
    </fixed>
    <description>
The use of assertions when detecting buffer overflow attacks
allowed remote attackers to cause a denial of service (crash) by
sending certain messages to cause
OpenSSL to abort from a failed assertion, as demonstrated using SSLv2
CLIENT_MASTER_KEY messages, which were not properly handled in
s2_srvr.c.
    </description>
  </issue>

  <issue public="20030219">
    <cve name="2003-0078"/>
    <affects base="0.9.7" version="0.9.7"/>
    <affects base="0.9.6" version="0.9.6"/>
    <affects base="0.9.6" version="0.9.6a"/>
    <affects base="0.9.6" version="0.9.6b"/>
    <affects base="0.9.6" version="0.9.6c"/>
    <affects base="0.9.6" version="0.9.6d"/>
    <affects base="0.9.6" version="0.9.6e"/>
    <affects base="0.9.6" version="0.9.6f"/>
    <affects base="0.9.6" version="0.9.6g"/>
    <affects base="0.9.6" version="0.9.6h"/>
    <fixed base="0.9.7" version="0.9.7a" date="20030219"/>
    <fixed base="0.9.6" version="0.9.6i" date="20030219"/>
    <advisory url="/news/secadv/20030219.txt"/>
    <description>
sl3_get_record in s3_pkt.c did not perform a MAC computation if an
incorrect block cipher padding was used, causing an information leak
(timing discrepancy) that may make it easier to launch cryptographic
attacks that rely on distinguishing between padding and MAC
verification errors, possibly leading to extraction of the original
plaintext, aka the "Vaudenay timing attack."
    </description>
  </issue>

  <issue public="20030319">
    <cve name="2003-0131"/>
    <affects base="0.9.6" version="0.9.6"/>
    <affects base="0.9.6" version="0.9.6a"/>
    <affects base="0.9.6" version="0.9.6b"/>
    <affects base="0.9.6" version="0.9.6c"/>
    <affects base="0.9.6" version="0.9.6d"/>
    <affects base="0.9.6" version="0.9.6e"/>
    <affects base="0.9.6" version="0.9.6f"/>
    <affects base="0.9.6" version="0.9.6g"/>
    <affects base="0.9.6" version="0.9.6h"/>
    <affects base="0.9.6" version="0.9.6i"/>
    <affects base="0.9.7" version="0.9.7"/>
    <affects base="0.9.7" version="0.9.7a"/>
    <fixed base="0.9.6" version="0.9.6j" date="20030410"/>
    <fixed base="0.9.7" version="0.9.7b" date="20030410"/>
    <advisory url="/news/secadv/20030319.txt"/>
    <description>
The SSL and TLS components allowed remote attackers to perform an
unauthorized RSA private key operation via a modified Bleichenbacher
attack that uses a large number of SSL or TLS connections using PKCS #1 
v1.5 padding that caused OpenSSL to leak information regarding the
relationship between ciphertext and the associated plaintext, aka the
"Klima-Pokorny-Rosa attack"
    </description>
  </issue>

  <issue public="20030314">
    <cve name="2003-0147"/>
    <affects base="0.9.6" version="0.9.6"/>
    <affects base="0.9.6" version="0.9.6a"/>
    <affects base="0.9.6" version="0.9.6b"/>
    <affects base="0.9.6" version="0.9.6c"/>
    <affects base="0.9.6" version="0.9.6d"/>
    <affects base="0.9.6" version="0.9.6e"/>
    <affects base="0.9.6" version="0.9.6f"/>
    <affects base="0.9.6" version="0.9.6g"/>
    <affects base="0.9.6" version="0.9.6h"/>
    <affects base="0.9.6" version="0.9.6i"/>
    <affects base="0.9.7" version="0.9.7"/>
    <affects base="0.9.7" version="0.9.7a"/>
    <advisory url="/news/secadv/20030317.txt"/>
    <fixed base="0.9.7" version="0.9.7b" date="20030410"/>
    <fixed base="0.9.6" version="0.9.6j" date="20030410"/>
    <description>
RSA blinding was not enabled by default, which could allow local and
remote attackers to obtain a server's private key by determining
factors using timing differences on (1) the number of extra reductions
during Montgomery reduction, and (2) the use of different integer
multiplication algorithms ("Karatsuba" and normal).
    </description>
  </issue>

  <issue public="20030930">
    <cve name="2003-0543"/>
    <affects base="0.9.6" version="0.9.6"/>
    <affects base="0.9.6" version="0.9.6a"/>
    <affects base="0.9.6" version="0.9.6b"/>
    <affects base="0.9.6" version="0.9.6c"/>
    <affects base="0.9.6" version="0.9.6d"/>
    <affects base="0.9.6" version="0.9.6e"/>
    <affects base="0.9.6" version="0.9.6f"/>
    <affects base="0.9.6" version="0.9.6g"/>
    <affects base="0.9.6" version="0.9.6h"/>
    <affects base="0.9.6" version="0.9.6i"/>
    <affects base="0.9.6" version="0.9.6j"/>
    <affects base="0.9.7" version="0.9.7"/>
    <affects base="0.9.7" version="0.9.7a"/>
    <affects base="0.9.7" version="0.9.7b"/>
    <fixed base="0.9.7" version="0.9.7c" date="20030930"/>
    <fixed base="0.9.6" version="0.9.6k" date="20030930"/>
    <advisory url="/news/secadv/20030930.txt"/>
    <reported source="NISCC"/>
    <description>
An integer overflow could allow remote attackers to cause a denial of
service (crash) via an SSL client certificate with certain ASN.1 tag
values.
    </description>
  </issue>

  <issue public="20030930">
    <cve name="2003-0544"/>
    <affects base="0.9.7" version="0.9.7"/>
    <affects base="0.9.7" version="0.9.7a"/>
    <affects base="0.9.7" version="0.9.7b"/>
    <affects base="0.9.6" version="0.9.6"/>
    <affects base="0.9.6" version="0.9.6a"/>
    <affects base="0.9.6" version="0.9.6b"/>
    <affects base="0.9.6" version="0.9.6c"/>
    <affects base="0.9.6" version="0.9.6d"/>
    <affects base="0.9.6" version="0.9.6e"/>
    <affects base="0.9.6" version="0.9.6f"/>
    <affects base="0.9.6" version="0.9.6g"/>
    <affects base="0.9.6" version="0.9.6h"/>
    <affects base="0.9.6" version="0.9.6i"/>
    <affects base="0.9.6" version="0.9.6j"/>
    <fixed base="0.9.6" version="0.9.6k" date="20030930"/>
    <fixed base="0.9.7" version="0.9.7c" date="20030930"/>
    <advisory url="/news/secadv/20030930.txt"/>
    <reported source="NISCC"/>
    <description>
Incorrect tracking of the number of characters in certain
ASN.1 inputs could allow remote attackers to cause a denial of
service (crash) by sending an SSL client certificate that causes OpenSSL to
read past the end of a buffer when the long form is used.
    </description>
  </issue>

  <issue public="20030930">
    <cve name="2003-0545"/>
    <affects base="0.9.7" version="0.9.7"/>
    <affects base="0.9.7" version="0.9.7a"/>
    <affects base="0.9.7" version="0.9.7b"/>
    <fixed base="0.9.7" version="0.9.7c" date="20030930"/>
    <advisory url="/news/secadv/20030930.txt"/>
    <reported source="NISCC"/>
    <description>
Certain ASN.1 encodings that were rejected as invalid by the parser could
trigger a bug in the deallocation of the corresponding data structure,
corrupting the stack, leading to a crash.
    </description>
  </issue>

  <issue public="20031104">
    <cve name="2003-0851"/>
    <affects base="0.9.6" version="0.9.6k"/>
    <fixed base="0.9.6" version="0.9.6l" date="20031104"/>
    <advisory url="/news/secadv/20031104.txt"/>
    <reported source="Novell"/>
    <description> 
A flaw in OpenSSL 0.9.6k (only) would cause certain ASN.1 sequences to
trigger a large recursion.  On platforms such as Windows this large
recursion cannot be handled correctly and so the bug causes OpenSSL to
crash.  A remote attacker could exploit this flaw if they can send
arbitrary ASN.1 sequences which would cause OpenSSL to crash.  This
could be performed for example by sending a client certificate to a
SSL/TLS enabled server which is configured to accept them.
    </description>
  </issue>

  <issue public="20040317">
    <cve name="2004-0079"/>
    <affects base="0.9.6" version="0.9.6c"/>
    <affects base="0.9.6" version="0.9.6d"/>
    <affects base="0.9.6" version="0.9.6e"/>
    <affects base="0.9.6" version="0.9.6f"/>
    <affects base="0.9.6" version="0.9.6g"/>
    <affects base="0.9.6" version="0.9.6h"/>
    <affects base="0.9.6" version="0.9.6i"/>
    <affects base="0.9.6" version="0.9.6j"/>
    <affects base="0.9.6" version="0.9.6k"/>
    <affects base="0.9.6" version="0.9.6l"/>
    <affects base="0.9.7" version="0.9.7"/>
    <affects base="0.9.7" version="0.9.7a"/>
    <affects base="0.9.7" version="0.9.7b"/>
    <affects base="0.9.7" version="0.9.7c"/>
    <fixed base="0.9.7" version="0.9.7d" date="20040317"/>
    <fixed base="0.9.6" version="0.9.6m" date="20040317"/>
    <advisory url="/news/secadv/20040317.txt"/>
    <reported source="OpenSSL group"/>
    <description> 
The Codenomicon TLS Test Tool uncovered a null-pointer assignment in the
do_change_cipher_spec() function.  A remote attacker could perform a
carefully crafted SSL/TLS handshake against a server that used the
OpenSSL library in such a way as to cause a crash.
    </description>
  </issue>

  <issue public="20040317">
    <cve name="2004-0081"/>
    <affects base="0.9.6" version="0.9.6"/>
    <affects base="0.9.6" version="0.9.6a"/>
    <affects base="0.9.6" version="0.9.6b"/>
    <affects base="0.9.6" version="0.9.6c"/>
    <advisory url="/news/secadv/20030317.txt"/>
    <reported source="OpenSSL group"/>
    <description>
The Codenomicon TLS Test Tool found that some unknown message types
were handled incorrectly, allowing a remote attacker to cause a denial
of service (infinite loop).
    </description>
  </issue>

  <issue public="20040317">
    <cve name="2004-0112"/>
    <affects base="0.9.7" version="0.9.7a"/>
    <affects base="0.9.7" version="0.9.7b"/>
    <affects base="0.9.7" version="0.9.7c"/>
    <fixed base="0.9.7" version="0.9.7d" date="20040317"/>
    <reported source="OpenSSL group (Stephen Henson)"/>
    <advisory url="/news/secadv/20040317.txt"/>
    <description>
A flaw in SSL/TLS handshaking code when using Kerberos ciphersuites.
A remote attacker could perform a carefully crafted SSL/TLS handshake
against a server configured to use Kerberos ciphersuites in such a way
as to cause OpenSSL to crash.  Most applications have no ability to
use Kerberos ciphersuites and will therefore be unaffected.
    </description>
  </issue>

  <issue public="20040930">
    <cve name="2004-0975"/>
    <affects base="0.9.7" version="0.9.7"/>
    <affects base="0.9.7" version="0.9.7a"/>
    <affects base="0.9.7" version="0.9.7b"/>
    <affects base="0.9.7" version="0.9.7c"/>
    <affects base="0.9.7" version="0.9.7d"/>
    <affects base="0.9.7" version="0.9.7e"/>
    <affects base="0.9.6" version="0.9.6"/>
    <affects base="0.9.6" version="0.9.6a"/>
    <affects base="0.9.6" version="0.9.6b"/>
    <affects base="0.9.6" version="0.9.6c"/>
    <affects base="0.9.6" version="0.9.6d"/>
    <affects base="0.9.6" version="0.9.6e"/>
    <affects base="0.9.6" version="0.9.6f"/>
    <affects base="0.9.6" version="0.9.6g"/>
    <affects base="0.9.6" version="0.9.6h"/>
    <affects base="0.9.6" version="0.9.6i"/>
    <affects base="0.9.6" version="0.9.6j"/>
    <affects base="0.9.6" version="0.9.6k"/>
    <affects base="0.9.6" version="0.9.6l"/>
    <affects base="0.9.6" version="0.9.6m"/>
    <fixed base="0.9.7" version="0.9.7f" date="20050322">
          <git hash="5fee606442a6738fd06a756d7076be53b7b7734c"/>
    </fixed>
    <fixed base="0.9.6" version="0.9.6-cvs" date="20041114"/>
    <!-- der_chop was removed 20041114 -->

    <description>
The der_chop script created temporary files insecurely which could
allow local users to overwrite files via a symlink attack on temporary
files.  Note that it is quite unlikely that a user would be using the
redundant der_chop script, and this script was removed from the OpenSSL
distribution.
    </description>
  </issue>

  <issue public="20051011">
    <cve name="2005-2969"/>
    <affects base="0.9.7" version="0.9.7"/>
    <affects base="0.9.7" version="0.9.7a"/>
    <affects base="0.9.7" version="0.9.7b"/>
    <affects base="0.9.7" version="0.9.7c"/>
    <affects base="0.9.7" version="0.9.7d"/>
    <affects base="0.9.7" version="0.9.7e"/>
    <affects base="0.9.7" version="0.9.7f"/>
    <affects base="0.9.7" version="0.9.7g"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.6" version="0.9.6"/>
    <affects base="0.9.6" version="0.9.6a"/>
    <affects base="0.9.6" version="0.9.6b"/>
    <affects base="0.9.6" version="0.9.6c"/>
    <affects base="0.9.6" version="0.9.6d"/>
    <affects base="0.9.6" version="0.9.6e"/>
    <affects base="0.9.6" version="0.9.6f"/>
    <affects base="0.9.6" version="0.9.6g"/>
    <affects base="0.9.6" version="0.9.6h"/>
    <affects base="0.9.6" version="0.9.6i"/>
    <affects base="0.9.6" version="0.9.6j"/>
    <affects base="0.9.6" version="0.9.6k"/>
    <affects base="0.9.6" version="0.9.6l"/>
    <affects base="0.9.6" version="0.9.6m"/>
    <fixed base="0.9.7" version="0.9.7h" date="20051011"/>
    <fixed base="0.9.8" version="0.9.8a" date="20051011"/>

    <advisory url="/news/secadv/20051011.txt"/>
    <reported source="researcher"/>

    <description>
A deprecated option, SSL_OP_MISE_SSLV2_RSA_PADDING, could allow an
attacker acting as a "man in the middle" to force a connection to
downgrade to SSL 2.0 even if both parties support better protocols.
    </description>
  </issue>

  <issue public="20060905">
    <cve name="2006-4339"/>
    <affects base="0.9.7" version="0.9.7"/>
    <affects base="0.9.7" version="0.9.7a"/>
    <affects base="0.9.7" version="0.9.7b"/>
    <affects base="0.9.7" version="0.9.7c"/>
    <affects base="0.9.7" version="0.9.7d"/>
    <affects base="0.9.7" version="0.9.7e"/>
    <affects base="0.9.7" version="0.9.7f"/>
    <affects base="0.9.7" version="0.9.7g"/>
    <affects base="0.9.7" version="0.9.7h"/>
    <affects base="0.9.7" version="0.9.7i"/>
    <affects base="0.9.7" version="0.9.7j"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.6" version="0.9.6"/>
    <affects base="0.9.6" version="0.9.6a"/>
    <affects base="0.9.6" version="0.9.6b"/>
    <affects base="0.9.6" version="0.9.6c"/>
    <affects base="0.9.6" version="0.9.6d"/>
    <affects base="0.9.6" version="0.9.6e"/>
    <affects base="0.9.6" version="0.9.6f"/>
    <affects base="0.9.6" version="0.9.6g"/>
    <affects base="0.9.6" version="0.9.6h"/>
    <affects base="0.9.6" version="0.9.6i"/>
    <affects base="0.9.6" version="0.9.6j"/>
    <affects base="0.9.6" version="0.9.6k"/>
    <affects base="0.9.6" version="0.9.6l"/>
    <affects base="0.9.6" version="0.9.6m"/>
    <fixed base="0.9.7" version="0.9.7k" date="20060905"/>
    <fixed base="0.9.8" version="0.9.8c" date="20060905"/>

    <advisory url="/news/secadv/20060905.txt"/>
    <reported source="openssl"/>

    <description>
Daniel Bleichenbacher discovered an attack on PKCS #1 v1.5
signatures where under certain circumstances it may be possible
for an attacker to forge a PKCS #1 v1.5 signature that would be incorrectly
verified by OpenSSL.
    </description>
  </issue>

  <issue public="20060928">
    <cve name="2006-2937"/>
    <affects base="0.9.7" version="0.9.7"/>
    <affects base="0.9.7" version="0.9.7a"/>
    <affects base="0.9.7" version="0.9.7b"/>
    <affects base="0.9.7" version="0.9.7c"/>
    <affects base="0.9.7" version="0.9.7d"/>
    <affects base="0.9.7" version="0.9.7e"/>
    <affects base="0.9.7" version="0.9.7f"/>
    <affects base="0.9.7" version="0.9.7g"/>
    <affects base="0.9.7" version="0.9.7h"/>
    <affects base="0.9.7" version="0.9.7i"/>
    <affects base="0.9.7" version="0.9.7j"/>
    <affects base="0.9.7" version="0.9.7k"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <fixed base="0.9.7" version="0.9.7l" date="20060928"/>
    <fixed base="0.9.8" version="0.9.8d" date="20060928"/>

    <advisory url="/news/secadv/20060928.txt"/>
    <reported source="openssl"/>

    <description>
During the parsing of certain invalid ASN.1 structures an error
condition is mishandled.  This can result in an infinite loop which
consumes system memory
    </description>
  </issue>

  <issue public="20060928">
    <cve name="2006-2940"/>
    <affects base="0.9.7" version="0.9.7"/>
    <affects base="0.9.7" version="0.9.7a"/>
    <affects base="0.9.7" version="0.9.7b"/>
    <affects base="0.9.7" version="0.9.7c"/>
    <affects base="0.9.7" version="0.9.7d"/>
    <affects base="0.9.7" version="0.9.7e"/>
    <affects base="0.9.7" version="0.9.7f"/>
    <affects base="0.9.7" version="0.9.7g"/>
    <affects base="0.9.7" version="0.9.7h"/>
    <affects base="0.9.7" version="0.9.7i"/>
    <affects base="0.9.7" version="0.9.7j"/>
    <affects base="0.9.7" version="0.9.7k"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.6" version="0.9.6"/>
    <affects base="0.9.6" version="0.9.6a"/>
    <affects base="0.9.6" version="0.9.6b"/>
    <affects base="0.9.6" version="0.9.6c"/>
    <affects base="0.9.6" version="0.9.6d"/>
    <affects base="0.9.6" version="0.9.6e"/>
    <affects base="0.9.6" version="0.9.6f"/>
    <affects base="0.9.6" version="0.9.6g"/>
    <affects base="0.9.6" version="0.9.6h"/>
    <affects base="0.9.6" version="0.9.6i"/>
    <affects base="0.9.6" version="0.9.6j"/>
    <affects base="0.9.6" version="0.9.6k"/>
    <affects base="0.9.6" version="0.9.6l"/>
    <affects base="0.9.6" version="0.9.6m"/>
    <fixed base="0.9.7" version="0.9.7l" date="20060928"/>
    <fixed base="0.9.8" version="0.9.8d" date="20060928"/>

    <advisory url="/news/secadv/20060928.txt"/>
    <reported source="openssl"/>

    <description>
Certain types of public key can take disproportionate amounts of
time to process. This could be used by an attacker in a denial of
service attack.
    </description>
  </issue>

  <issue public="20060928">
    <cve name="2006-3738"/>
    <affects base="0.9.7" version="0.9.7"/>
    <affects base="0.9.7" version="0.9.7a"/>
    <affects base="0.9.7" version="0.9.7b"/>
    <affects base="0.9.7" version="0.9.7c"/>
    <affects base="0.9.7" version="0.9.7d"/>
    <affects base="0.9.7" version="0.9.7e"/>
    <affects base="0.9.7" version="0.9.7f"/>
    <affects base="0.9.7" version="0.9.7g"/>
    <affects base="0.9.7" version="0.9.7h"/>
    <affects base="0.9.7" version="0.9.7i"/>
    <affects base="0.9.7" version="0.9.7j"/>
    <affects base="0.9.7" version="0.9.7k"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.6" version="0.9.6"/>
    <affects base="0.9.6" version="0.9.6a"/>
    <affects base="0.9.6" version="0.9.6b"/>
    <affects base="0.9.6" version="0.9.6c"/>
    <affects base="0.9.6" version="0.9.6d"/>
    <affects base="0.9.6" version="0.9.6e"/>
    <affects base="0.9.6" version="0.9.6f"/>
    <affects base="0.9.6" version="0.9.6g"/>
    <affects base="0.9.6" version="0.9.6h"/>
    <affects base="0.9.6" version="0.9.6i"/>
    <affects base="0.9.6" version="0.9.6j"/>
    <affects base="0.9.6" version="0.9.6k"/>
    <affects base="0.9.6" version="0.9.6l"/>
    <affects base="0.9.6" version="0.9.6m"/>
    <fixed base="0.9.7" version="0.9.7l" date="20060928"/>
    <fixed base="0.9.8" version="0.9.8d" date="20060928"/>

    <advisory url="/news/secadv/20060928.txt"/>
    <reported source="openssl"/>

    <description>
A buffer overflow was discovered in the SSL_get_shared_ciphers()
utility function.  An attacker could send a list of ciphers to an
application that uses this function and overrun a buffer.
    </description>
  </issue>

  <issue public="20060928">
    <cve name="2006-4343"/>
    <affects base="0.9.7" version="0.9.7"/>
    <affects base="0.9.7" version="0.9.7a"/>
    <affects base="0.9.7" version="0.9.7b"/>
    <affects base="0.9.7" version="0.9.7c"/>
    <affects base="0.9.7" version="0.9.7d"/>
    <affects base="0.9.7" version="0.9.7e"/>
    <affects base="0.9.7" version="0.9.7f"/>
    <affects base="0.9.7" version="0.9.7g"/>
    <affects base="0.9.7" version="0.9.7h"/>
    <affects base="0.9.7" version="0.9.7i"/>
    <affects base="0.9.7" version="0.9.7j"/>
    <affects base="0.9.7" version="0.9.7k"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.6" version="0.9.6"/>
    <affects base="0.9.6" version="0.9.6a"/>
    <affects base="0.9.6" version="0.9.6b"/>
    <affects base="0.9.6" version="0.9.6c"/>
    <affects base="0.9.6" version="0.9.6d"/>
    <affects base="0.9.6" version="0.9.6e"/>
    <affects base="0.9.6" version="0.9.6f"/>
    <affects base="0.9.6" version="0.9.6g"/>
    <affects base="0.9.6" version="0.9.6h"/>
    <affects base="0.9.6" version="0.9.6i"/>
    <affects base="0.9.6" version="0.9.6j"/>
    <affects base="0.9.6" version="0.9.6k"/>
    <affects base="0.9.6" version="0.9.6l"/>
    <affects base="0.9.6" version="0.9.6m"/>
    <fixed base="0.9.7" version="0.9.7l" date="20060928"/>
    <fixed base="0.9.8" version="0.9.8d" date="20060928"/>

    <advisory url="/news/secadv/20060928.txt"/>
    <reported source="openssl"/>

    <description>
A flaw in the SSLv2 client code was discovered. When a client
application used OpenSSL to create an SSLv2 connection to a malicious
server, that server could cause the client to crash.
    </description>
  </issue>

  <issue public="20071012">
    <cve name="2007-4995"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <fixed base="0.9.8" version="0.9.8f" date="20071012"/>
    <advisory url="/news/secadv/20071012.txt"/>
    <reported source="Andy Polyakov"/>

    <description>
A flaw in DTLS support. An attacker 
could create a malicious client or server that could trigger a heap 
overflow. This is possibly exploitable to run arbitrary code, but it has 
not been verified.
    </description>
  </issue>

  <issue public="20071012">
    <cve name="2007-5135"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <fixed base="0.9.8" version="0.9.8f" date="20071012"/>
    <advisory url="/news/secadv/20071012.txt"/>
    <reported source="Moritz Jodeit"/>

    <description>
A flaw was found in the SSL_get_shared_ciphers() utility function. An 
attacker could send a list of ciphers to an application that used this 
function and overrun a buffer with a single byte. Few 
applications make use of this vulnerable function and generally it is used 
only when applications are compiled for debugging.
    </description>
  </issue>

  <issue public="20071129">
    <cve name="2007-5502"/>
    <advisory url="/news/secadv/20071129.txt"/>
    <reported source="Geoff Lowe"/>
    <affects base="fips-1.1" version="fips-1.1.1"/>
    <fixed base="fips-1.1" version="fips-1.1.2" date="20071201"/>
    <description>
The PRNG implementation for the OpenSSL FIPS Object Module 1.1.1 does
not perform auto-seeding during the FIPS self-test, which generates
random data that is more predictable than expected and makes it easier
for attackers to bypass protection mechanisms that rely on the
randomness.
    </description>
  </issue>

  <issue public="20080528">
    <cve name="2008-0891"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <fixed base="0.9.8" version="0.9.8h" date="20080528"/>
    <advisory url="/news/secadv/20080528.txt"/>
    <reported source="codenomicon"/>
    <description>
Testing using the Codenomicon TLS test suite discovered a flaw in the
handling of server name extension data in OpenSSL 0.9.8f and OpenSSL
0.9.8g.  If OpenSSL has been compiled using the non-default TLS server
name extensions, a remote attacker could send a carefully crafted
packet to a server application using OpenSSL and cause it to crash.
    </description>
  </issue>

  <issue public="20080528">
    <cve name="2008-1672"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <fixed base="0.9.8" version="0.9.8h" date="20080528"/>
    <advisory url="/news/secadv/20080528.txt"/>
    <reported source="codenomicon"/>
    <description>
Testing using the Codenomicon TLS test suite discovered a flaw if the
'Server Key exchange message' is omitted from a TLS handshake in
OpenSSL 0.9.8f and OpenSSL 0.9.8g.  If a client connects to a
malicious server with particular cipher suites, the server could cause
the client to crash. 
    </description>
  </issue>

  <issue public="20090107">
    <cve name="2008-5077"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <fixed base="0.9.8" version="0.9.8j" date="20090107"/>
    <advisory url="/news/secadv/20090107.txt"/>
    <reported source="google"/>
    <description>

The Google Security Team discovered several functions inside OpenSSL
incorrectly checked the result after calling the EVP_VerifyFinal
function, allowing a malformed signature to be treated as a good
signature rather than as an error.  This issue affected the signature
checks on DSA and ECDSA keys used with SSL/TLS.  One way to exploit
this flaw would be for a remote attacker who is in control of a
malicious server or who can use a 'man in the middle' attack to
present a malformed SSL/TLS signature from a certificate chain to a
vulnerable client, bypassing validation.
    </description>
  </issue>

  <issue public="20090325">
    <cve name="2009-0590"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <fixed base="0.9.8" version="0.9.8k" date="20090325"/>
    <advisory url="/news/secadv/20090325.txt"/>
    <description>
The function ASN1_STRING_print_ex() when used to print a BMPString or
UniversalString will crash with an invalid memory access if the
encoded length of the string is illegal.  Any OpenSSL application
which prints out the contents of a certificate could be affected by
this bug, including SSL servers, clients and S/MIME software.
    </description>
  </issue>

  <issue public="20090325">
    <cve name="2009-0591"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <fixed base="0.9.8" version="0.9.8k" date="20090325"/>
    <advisory url="/news/secadv/20090325.txt"/>
    <reported source="Ivan Nestlerode, IBM"/>
    <description>
The function CMS_verify() does not correctly handle an error condition
involving malformed signed attributes. This will cause an invalid set
of signed attributes to appear valid and content digests will not be
checked.
    </description>
  </issue>

  <issue public="20090325">
    <cve name="2009-0789"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <fixed base="0.9.8" version="0.9.8k" date="20090325"/>
    <reported source="Paolo Ganci"/>
    <advisory url="/news/secadv/20090325.txt"/>
    <description>
When a malformed ASN1 structure is received it's contents are freed up and
zeroed and an error condition returned. On a small number of platforms where
sizeof(long) &lt; sizeof(void *) (for example WIN64) this can cause an invalid
memory access later resulting in a crash when some invalid structures are
read, for example RSA public keys.
    </description>
  </issue>

  <issue public="20090602">
    <cve name="2009-1386"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <fixed base="0.9.8" version="0.9.8i" date="20080915">
      <git hash="1cbf663a6c89dcf8f7706d30a8bae675e2e0199a"/>
    </fixed>
    <reported source="Alex Lam"/>
    <description>
Fix a NULL pointer dereference if a DTLS server recieved
ChangeCipherSpec as first record.
A remote attacker could use this flaw to cause a DTLS server to crash
    </description>
  </issue>

  <issue public="20091105">
    <cve name="2009-3555"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <fixed base="0.9.8" version="0.9.8m" date="20100120"/>
    <advisory url="/news/secadv/20091111.txt"/>
    <description>
Implement RFC5746 to address vulnerabilities in SSL/TLS renegotiation.
    </description>
  </issue>

  <issue public="20090205">
    <cve name="2009-1387"/>
    <advisory url="https://rt.openssl.org/Ticket/Display.html?id=1838&amp;user=guest&amp;pass=guest"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <fixed base="0.9.8" version="0.9.8m" date="20100120"/>
    <reported source="Robin Seggelmann"/>
    <description>
Fix denial of service flaw due in the DTLS implementation.  A
remote attacker could use this flaw to cause a DTLS server to crash.
    </description>
  </issue>

  <issue public="20090512">
    <cve name="2009-1377"/>
    <advisory url="https://rt.openssl.org/Ticket/Display.html?id=1930&amp;user=guest&amp;pass=guest"/>    
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <fixed base="0.9.8" version="0.9.8m" date="20100120">
      <git hash="88b48dc68024dcc437da4296c9fb04419b0ccbe1"/>
    </fixed>
    <reported source="Daniel Mentz, Robin Seggelmann"/>
    <description>
Fix a denial of service flaw in the DTLS implementation.  
Records are buffered if they arrive with a future epoch to be  
processed after finishing the corresponding handshake. There is  
currently no limitation to this buffer allowing an attacker to perform  
a DOS attack to a DTLS server by sending records with future epochs until there is no  
memory left.
    </description>
  </issue>

    <issue public="20090512">
    <cve name="2009-1378"/>
    <advisory url="https://rt.openssl.org/Ticket/Display.html?id=1931&amp;user=guest&amp;pass=guest"/>    
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <fixed base="0.9.8" version="0.9.8m" date="20100120">
      <git hash="abda7c114791fa7fe95672ec7a66fc4733c40dbc"/>
    </fixed>
    <reported source="Daniel Mentz, Robin Seggelmann"/>
    <description>
      Fix a denial of service flaw in the DTLS implementation.
In dtls1_process_out_of_seq_message() the check if the current message 
is already buffered was missing. For every new message was memory 
allocated, allowing an attacker to perform an denial of service attack 
against a DTLS server by sending out of seq handshake messages until there is no memory 
left.
    </description>
  </issue>

  <issue public="20090512">
    <cve name="2009-1379"/>
    <advisory url="https://rt.openssl.org/Ticket/Display.html?id=1923&amp;user=guest&amp;pass=guest"/>        
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <fixed base="0.9.8" version="0.9.8m" date="20100120">
      <git hash="561cbe567846a376153bea7f1f2d061e78029c2d"/>
    </fixed>
    <reported source="Daniel Mentz, Robin Seggelmann"/>
    <description>
      Use-after-free vulnerability in the dtls1_retrieve_buffered_fragment
      function could cause a client accessing a malicious DTLS server to
      crash.
    </description>
  </issue>

  <issue public="20100113">
    <cve name="2009-4355"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <fixed base="0.9.8" version="0.9.8m" date="20100120">
      <git hash="1b31b5ad560b16e2fe1cad54a755e3e6b5e778a3"/>
    </fixed>
    <reported source="Michael K Johnson and Andy Grimm (rPath)"/>
    <description>
A memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c
allows remote attackers to cause a denial of service
via vectors that trigger incorrect calls to the CRYPTO_cleanup_all_ex_data
function.
    </description>
  </issue>

  <issue public="20100223">
    <cve name="2009-3245"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <fixed base="0.9.8" version="0.9.8m" date="20100120">
      <git hash="7e4cae1d2f555cbe9226b377aff4b56c9f7ddd4d"/>
    </fixed>
    <reported source="Martin Olsson, Neel Mehta"/>
    <description>
It was discovered that OpenSSL did not always check the return value of the
bn_wexpand() function. An attacker able to trigger a memory allocation failure
in that function could cause an application using the OpenSSL library to crash
or, possibly, execute arbitrary code
    </description>
  </issue>

  <issue public="20100119">
    <cve name="2010-0433"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <affects base="0.9.8" version="0.9.8m"/>
    <fixed base="0.9.8" version="0.9.8n" date="20100324">
      <git hash="cca1cd9a3447dd067503e4a85ebd1679ee78a48e"/>
    </fixed>
    <reported source="Todd Rinaldo, Tomas Hoger (Red Hat)"/>
    <description>
A missing return value check flaw was discovered in OpenSSL, that could
possibly cause OpenSSL to call a Kerberos library function with invalid
arguments, resulting in a NULL pointer dereference crash in the MIT
Kerberos library. In certain configurations, a remote attacker could use
this flaw to crash a TLS/SSL server using OpenSSL by requesting Kerberos
cipher suites during the TLS handshake
    </description>
  </issue>

  <issue public="20100324">
    <cve name="2010-0740"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <affects base="0.9.8" version="0.9.8m"/>
    <fixed base="0.9.8" version="0.9.8n" date="20100324"/>
    <advisory url="/news/secadv/20100324.txt"/>
    <reported source="Bodo Moeller and Adam Langley (Google)"/>
    <description>
In TLS connections, certain incorrectly formatted records can cause an
OpenSSL client or server to crash due to a read attempt at NULL.  
    </description>
  </issue>

  <issue public="20100601">
    <cve name="2010-0742"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <affects base="0.9.8" version="0.9.8m"/>
    <affects base="0.9.8" version="0.9.8n"/>
    <fixed base="0.9.8" version="0.9.8o" date="20100601"/>
    <fixed base="1.0.0" version="1.0.0a" date="20100601"/>
    <advisory url="/news/secadv/20100601.txt"/>
    <reported source="Ronald Moesbergen"/>
    <description>
A flaw in the handling of CMS structures containing OriginatorInfo was found which 
could lead to a write to invalid memory address or double free.  CMS support is
disabled by default in OpenSSL 0.9.8 versions.
    </description>
  </issue>

  <issue public="20100601">
    <cve name="2010-1633"/>
    <affects base="1.0.0" version="1.0.0"/>
    <fixed base="1.0.0" version="1.0.0a" date="20100601"/>
    <advisory url="/news/secadv/20100601.txt"/>
    <reported source="Peter-Michael Hager"/>
    <description>
An invalid Return value check in pkey_rsa_verifyrecover was
discovered.  When verification recovery fails for RSA keys an
uninitialised buffer with an undefined length is returned instead of
an error code.  This could lead to an information leak.
    </description>
  </issue>

  <issue public="20101116">
    <cve name="2010-3864"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <affects base="0.9.8" version="0.9.8m"/>
    <affects base="0.9.8" version="0.9.8n"/>
    <affects base="0.9.8" version="0.9.8o"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <fixed base="1.0.0" version="1.0.0b" date="20101116"/>
    <fixed base="0.9.8" version="0.9.8p" date="20101116"/>
    <advisory url="/news/secadv/20101116.txt"/>
    <reported source="Rob Hulswit"/>
    <description>

A flaw in the OpenSSL TLS server extension code parsing which on
affected servers can be exploited in a buffer overrun attack.  Any
OpenSSL based TLS server is vulnerable if it is multi-threaded and
uses OpenSSL's internal caching mechanism. Servers that are
multi-process and/or disable internal session caching are NOT
affected.

    </description>
  </issue>

  <issue public="20101202">
    <cve name="2010-4252"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <fixed base="1.0.0" version="1.0.0c" date="20101202"/>
    <advisory url="/news/secadv/20101202.txt"/>
    <reported source="Sebastian Martini"/>
    <description>
An error in OpenSSL's experimental J-PAKE implementation which could
lead to successful validation by someone with no knowledge of the
shared secret.  The OpenSSL Team still consider the implementation of
J-PAKE to be experimental and is not compiled by default.
    </description>
  </issue>

  <issue public="20101202">
    <cve name="2010-4180"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <affects base="0.9.8" version="0.9.8m"/>
    <affects base="0.9.8" version="0.9.8n"/>
    <affects base="0.9.8" version="0.9.8o"/>
    <affects base="0.9.8" version="0.9.8p"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <fixed base="1.0.0" version="1.0.0c" date="20101202"/>
    <fixed base="0.9.8" version="0.9.8q" date="20101202"/>
    <advisory url="/news/secadv/20101202.txt"/>
    <reported source="Martin Rex"/>
    <description>
A flaw in the OpenSSL SSL/TLS server code where an old bug workaround
allows malicious clients to modify the stored session cache
ciphersuite. In some cases the ciphersuite can be downgraded to a
weaker one on subsequent connections.  This issue only affects OpenSSL
based SSL/TLS server if it uses OpenSSL's internal caching mechanisms
and the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG flag (many
applications enable this by using the SSL_OP_ALL option).
    </description>
  </issue>

  <issue public="20110906">
    <cve name="2011-3207"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <fixed base="1.0.0" version="1.0.0e" date="20110906"/>
    <advisory url="/news/secadv/20110906.txt"/>
    <reported source="Kaspar Brand"/>
    <description>
Under certain circumstances OpenSSL's internal certificate
verification routines can incorrectly accept a CRL whose nextUpdate
field is in the past.  Applications are only affected by the CRL
checking vulnerability if they enable OpenSSL's internal CRL checking
which is off by default. Applications which use their own custom CRL
checking (such as Apache) are not affected.
    </description>
  </issue>

 <issue public="20110906">
    <cve name="2011-3210"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <affects base="0.9.8" version="0.9.8m"/>
    <affects base="0.9.8" version="0.9.8n"/>
    <affects base="0.9.8" version="0.9.8o"/>
    <affects base="0.9.8" version="0.9.8p"/>
    <affects base="0.9.8" version="0.9.8q"/>
    <affects base="0.9.8" version="0.9.8r"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <fixed base="1.0.0" version="1.0.0e" date="20110906"/>
    <advisory url="/news/secadv/20110906.txt"/>
    <reported source="Adam Langley"/>
    <description>
OpenSSL server code for ephemeral ECDH ciphersuites is not
thread-safe, and furthermore can crash if a client violates the
protocol by sending handshake messages in incorrect order.  Only
server-side applications that specifically support ephemeral ECDH
ciphersuites are affected, and only if ephemeral ECDH ciphersuites are
enabled in the configuration.
    </description>
  </issue>

 <issue public="20120104">
    <cve name="2011-4108"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <affects base="0.9.8" version="0.9.8m"/>
    <affects base="0.9.8" version="0.9.8n"/>
    <affects base="0.9.8" version="0.9.8o"/>
    <affects base="0.9.8" version="0.9.8p"/>
    <affects base="0.9.8" version="0.9.8q"/>
    <affects base="0.9.8" version="0.9.8r"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <affects base="1.0.0" version="1.0.0e"/>
    <fixed base="1.0.0" version="1.0.0f" date="20120104"/>
    <fixed base="0.9.8" version="0.9.8s" date="20120104"/>
    <advisory url="/news/secadv/20120104.txt"/>
    <reported source="Nadhem Alfardan and Kenny Paterson"/>
    <description>
OpenSSL was susceptable an extension of the 
Vaudenay padding oracle attack on CBC mode encryption which enables an 
efficient plaintext recovery attack against the OpenSSL implementation
of DTLS by exploiting timing differences arising during
decryption processing.
    </description>
  </issue>

 <issue public="20120104">
    <cve name="2011-4109"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <affects base="0.9.8" version="0.9.8m"/>
    <affects base="0.9.8" version="0.9.8n"/>
    <affects base="0.9.8" version="0.9.8o"/>
    <affects base="0.9.8" version="0.9.8p"/>
    <affects base="0.9.8" version="0.9.8q"/>
    <affects base="0.9.8" version="0.9.8r"/>
    <fixed base="0.9.8" version="0.9.8s" date="20120104"/>
    <advisory url="/news/secadv/20120104.txt"/>
    <reported source="Ben Laurie"/>
    <description>
If X509_V_FLAG_POLICY_CHECK is set in OpenSSL 0.9.8, then a policy
check failure can lead to a double-free. The bug does not occur 
unless this flag is set. Users of OpenSSL 1.0.0 are not affected
    </description>
  </issue>

 <issue public="20120104">
    <cve name="2011-4576"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <affects base="0.9.8" version="0.9.8m"/>
    <affects base="0.9.8" version="0.9.8n"/>
    <affects base="0.9.8" version="0.9.8o"/>
    <affects base="0.9.8" version="0.9.8p"/>
    <affects base="0.9.8" version="0.9.8q"/>
    <affects base="0.9.8" version="0.9.8r"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <affects base="1.0.0" version="1.0.0e"/>
    <fixed base="1.0.0" version="1.0.0f" date="20120104"/>
    <fixed base="0.9.8" version="0.9.8s" date="20120104"/>
    <advisory url="/news/secadv/20120104.txt"/>
    <reported source="Adam Langley"/>
    <description>
OpenSSL failed to clear the bytes used as
block cipher padding in SSL 3.0 records which could leak
the contents of memory in some circumstances.
    </description>
  </issue>

 <issue public="20120104">
    <cve name="2011-4577"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <affects base="0.9.8" version="0.9.8m"/>
    <affects base="0.9.8" version="0.9.8n"/>
    <affects base="0.9.8" version="0.9.8o"/>
    <affects base="0.9.8" version="0.9.8p"/>
    <affects base="0.9.8" version="0.9.8q"/>
    <affects base="0.9.8" version="0.9.8r"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <affects base="1.0.0" version="1.0.0e"/>
    <fixed base="1.0.0" version="1.0.0f" date="20120104"/>
    <fixed base="0.9.8" version="0.9.8s" date="20120104"/>
    <advisory url="/news/secadv/20120104.txt"/>
    <reported source="Andrew Chi"/>
    <description>
RFC 3779 data can be included in certificates, and if it is malformed,
may trigger an assertion failure. This could be used in a
denial-of-service attack.  Builds of OpenSSL are only vulnerable if configured with 
"enable-rfc3779", which is not a default.
    </description>
  </issue>

 <issue public="20120104">
    <cve name="2011-4619"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <affects base="0.9.8" version="0.9.8m"/>
    <affects base="0.9.8" version="0.9.8n"/>
    <affects base="0.9.8" version="0.9.8o"/>
    <affects base="0.9.8" version="0.9.8p"/>
    <affects base="0.9.8" version="0.9.8q"/>
    <affects base="0.9.8" version="0.9.8r"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <affects base="1.0.0" version="1.0.0e"/>
    <fixed base="1.0.0" version="1.0.0f" date="20120104"/>
    <fixed base="0.9.8" version="0.9.8s" date="20120104"/>
    <advisory url="/news/secadv/20120104.txt"/>
    <reported source="George Kadianakis"/>
    <description>
Support for handshake restarts for server gated cryptograpy (SGC) can
be used in a denial-of-service attack.
    </description>
  </issue>

 <issue public="20120104">
    <cve name="2012-0027"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <affects base="1.0.0" version="1.0.0e"/>
    <fixed base="1.0.0" version="1.0.0f" date="20120104"/>
    <advisory url="/news/secadv/20120104.txt"/>
    <reported source="Andrey Kulikov"/>
    <description>
A malicious TLS client can send an invalid set of GOST parameters
which will cause the server to crash due to lack of error checking.
This could be used in a denial-of-service attack.
Only users of the OpenSSL GOST ENGINE are affected by this bug.
    </description>
  </issue>

 <issue public="20120104">
    <cve name="2012-0050"/>
    <affects base="0.9.8" version="0.9.8s"/>
    <affects base="1.0.0" version="1.0.0f"/>
    <fixed base="1.0.0" version="1.0.0g" date="20120118"/>
    <fixed base="0.9.8" version="0.9.8t" date="20120118"/>
    <advisory url="/news/secadv/20120118.txt"/>
    <reported source="Antonio Martin"/>
    <description>
A flaw in the fix to CVE-2011-4108 can be exploited in a denial of
service attack. Only DTLS applications are affected.
    </description>
  </issue>

 <issue public="20120312">
    <cve name="2012-0884"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <affects base="0.9.8" version="0.9.8m"/>
    <affects base="0.9.8" version="0.9.8n"/>
    <affects base="0.9.8" version="0.9.8o"/>
    <affects base="0.9.8" version="0.9.8p"/>
    <affects base="0.9.8" version="0.9.8q"/>
    <affects base="0.9.8" version="0.9.8r"/>
    <affects base="0.9.8" version="0.9.8s"/>
    <affects base="0.9.8" version="0.9.8t"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <affects base="1.0.0" version="1.0.0e"/>
    <affects base="1.0.0" version="1.0.0f"/>
    <affects base="1.0.0" version="1.0.0g"/>
    <fixed base="1.0.0" version="1.0.0h" date="20120312"/>
    <fixed base="0.9.8" version="0.9.8u" date="20120312"/>
    <advisory url="/news/secadv/20120312.txt"/>
    <reported source="Ivan Nestlerode"/>
    <description>
A weakness in the OpenSSL CMS and PKCS #7 code can be exploited
using Bleichenbacher's attack on PKCS #1 v1.5 RSA padding
also known as the million message attack (MMA).
Only users of CMS, PKCS #7, or S/MIME decryption operations are affected, 
SSL/TLS applications are not affected by this issue.

    </description>
  </issue>

 <issue public="20110208">
    <cve name="2011-0014"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <affects base="0.9.8" version="0.9.8m"/>
    <affects base="0.9.8" version="0.9.8n"/>
    <affects base="0.9.8" version="0.9.8o"/>
    <affects base="0.9.8" version="0.9.8p"/>
    <affects base="0.9.8" version="0.9.8q"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <fixed base="1.0.0" version="1.0.0d" date="20110208"/>
    <fixed base="0.9.8" version="0.9.8r" date="20110208"/>
    <advisory url="/news/secadv/20110208.txt"/>
    <reported source="Neel Mehta"/>
    <description>
A buffer over-read flaw was discovered in the way OpenSSL parsed the
Certificate Status Request TLS extensions in ClientHello TLS handshake
messages. A remote attacker could possibly use this flaw to crash an SSL
server using the affected OpenSSL functionality.
    </description>
  </issue>

 <issue public="20120424">
    <cve name="2012-2131"/>
    <affects base="0.9.8" version="0.9.8v"/>
    <fixed base="0.9.8" version="0.9.8w" date="20120424"/>
    <advisory url="/news/secadv/20120424.txt"/>
    <reported source="Red Hat"/>
    <description>
It was discovered that the fix for CVE-2012-2110 released on 19 Apr
2012 was not sufficient to correct the issue for OpenSSL 0.9.8.  This
issue only affects OpenSSL 0.9.8v.  OpenSSL 1.0.1a and 1.0.0i already
contain a patch sufficient to correct CVE-2012-2110.
    </description>
  </issue>


 <issue public="20120419">
    <cve name="2012-2110"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <affects base="0.9.8" version="0.9.8m"/>
    <affects base="0.9.8" version="0.9.8n"/>
    <affects base="0.9.8" version="0.9.8o"/>
    <affects base="0.9.8" version="0.9.8p"/>
    <affects base="0.9.8" version="0.9.8q"/>
    <affects base="0.9.8" version="0.9.8r"/>
    <affects base="0.9.8" version="0.9.8s"/>
    <affects base="0.9.8" version="0.9.8t"/>
    <affects base="0.9.8" version="0.9.8u"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <affects base="1.0.0" version="1.0.0e"/>
    <affects base="1.0.0" version="1.0.0f"/>
    <affects base="1.0.0" version="1.0.0g"/>
    <affects base="1.0.1" version="1.0.1"/>
    <fixed base="1.0.1" version="1.0.1a" date="20120419"/>
    <fixed base="1.0.0" version="1.0.0i" date="20120419"/>
    <fixed base="0.9.8" version="0.9.8v" date="20120419"/>
    <advisory url="/news/secadv/20120419.txt"/>
    <reported source="Tavis Ormandy"/>
    <description>
Multiple numeric conversion errors, leading to a buffer overflow, were
found in the way OpenSSL parsed ASN.1 (Abstract Syntax Notation One) data
from BIO (OpenSSL's I/O abstraction) inputs. Specially-crafted DER
(Distinguished Encoding Rules) encoded data read from a file or other BIO
input could cause an application using the OpenSSL library to crash or,
potentially, execute arbitrary code.
    </description>
  </issue>

 <issue public="20120510">
    <cve name="2012-2333"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <affects base="0.9.8" version="0.9.8m"/>
    <affects base="0.9.8" version="0.9.8n"/>
    <affects base="0.9.8" version="0.9.8o"/>
    <affects base="0.9.8" version="0.9.8p"/>
    <affects base="0.9.8" version="0.9.8q"/>
    <affects base="0.9.8" version="0.9.8r"/>
    <affects base="0.9.8" version="0.9.8s"/>
    <affects base="0.9.8" version="0.9.8t"/>
    <affects base="0.9.8" version="0.9.8u"/>
    <affects base="0.9.8" version="0.9.8v"/>
    <affects base="0.9.8" version="0.9.8w"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <affects base="1.0.0" version="1.0.0e"/>
    <affects base="1.0.0" version="1.0.0f"/>
    <affects base="1.0.0" version="1.0.0g"/>
    <affects base="1.0.0" version="1.0.0i"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <fixed base="1.0.1" version="1.0.1c" date="20120510"/>
    <fixed base="1.0.0" version="1.0.0j" date="20120510"/>
    <fixed base="0.9.8" version="0.9.8x" date="20120510"/>
    <advisory url="/news/secadv/20120510.txt"/>
    <reported source="Codenomicon"/>
    <description>
An integer underflow flaw, leading to a buffer over-read, was found in
the way OpenSSL handled TLS 1.1, TLS 1.2, and DTLS (Datagram Transport
Layer Security) application data record lengths when using a block
cipher in CBC (cipher-block chaining) mode. A malicious TLS 1.1, TLS
1.2, or DTLS client or server could use this flaw to crash its connection
peer.
    </description>
  </issue>

 <issue public="20130204">
    <cve name="2013-0169"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <affects base="0.9.8" version="0.9.8m"/>
    <affects base="0.9.8" version="0.9.8n"/>
    <affects base="0.9.8" version="0.9.8o"/>
    <affects base="0.9.8" version="0.9.8p"/>
    <affects base="0.9.8" version="0.9.8q"/>
    <affects base="0.9.8" version="0.9.8r"/>
    <affects base="0.9.8" version="0.9.8s"/>
    <affects base="0.9.8" version="0.9.8t"/>
    <affects base="0.9.8" version="0.9.8u"/>
    <affects base="0.9.8" version="0.9.8v"/>
    <affects base="0.9.8" version="0.9.8w"/>
    <affects base="0.9.8" version="0.9.8x"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <affects base="1.0.0" version="1.0.0e"/>
    <affects base="1.0.0" version="1.0.0f"/>
    <affects base="1.0.0" version="1.0.0g"/>
    <affects base="1.0.0" version="1.0.0i"/>
    <affects base="1.0.0" version="1.0.0j"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <fixed base="1.0.1" version="1.0.1d" date="20130205"/>
    <fixed base="1.0.0" version="1.0.0k" date="20130205"/>
    <fixed base="0.9.8" version="0.9.8y" date="20130205"/>
    <advisory url="/news/secadv/20130205.txt"/>
    <reported source="Nadhem J. AlFardan and Kenneth G. Paterson of the Information Security Group Royal Holloway, University of London"/>
    <description>
A weakness in the handling of CBC ciphersuites in SSL, TLS and DTLS which could
lead to plaintext recovery by exploiting timing differences
arising during MAC processing. 
    </description>
  </issue>

 <issue public="20130205">
    <cve name="2012-2686"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <fixed base="1.0.1" version="1.0.1d" date="20130205"/>
    <advisory url="/news/secadv/20130205.txt"/>
    <reported source="Adam Langley and Wolfgang Ettlinger"/>
    <description>
A flaw in the OpenSSL handling of CBC ciphersuites in TLS 1.1 and TLS 1.2 on
AES-NI supporting platforms can be exploited in a DoS attack.
    </description>
  </issue>

 <issue public="20130205">
    <cve name="2013-0166"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <affects base="0.9.8" version="0.9.8m"/>
    <affects base="0.9.8" version="0.9.8n"/>
    <affects base="0.9.8" version="0.9.8o"/>
    <affects base="0.9.8" version="0.9.8p"/>
    <affects base="0.9.8" version="0.9.8q"/>
    <affects base="0.9.8" version="0.9.8r"/>
    <affects base="0.9.8" version="0.9.8s"/>
    <affects base="0.9.8" version="0.9.8t"/>
    <affects base="0.9.8" version="0.9.8u"/>
    <affects base="0.9.8" version="0.9.8v"/>
    <affects base="0.9.8" version="0.9.8w"/>
    <affects base="0.9.8" version="0.9.8x"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <affects base="1.0.0" version="1.0.0e"/>
    <affects base="1.0.0" version="1.0.0f"/>
    <affects base="1.0.0" version="1.0.0g"/>
    <affects base="1.0.0" version="1.0.0i"/>
    <affects base="1.0.0" version="1.0.0j"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <fixed base="1.0.1" version="1.0.1d" date="20130205"/>
    <fixed base="1.0.0" version="1.0.0k" date="20130205"/>
    <fixed base="0.9.8" version="0.9.8y" date="20130205"/>
    <advisory url="/news/secadv/20130205.txt"/>
    <reported source="Stephen Henson"/>
    <description>
A flaw in the OpenSSL handling of OCSP response verification can be exploited in
a denial of service attack.
    </description>
  </issue>

 <issue public="20131213">
    <cve name="2013-6450"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <affects base="1.0.0" version="1.0.0e"/>
    <affects base="1.0.0" version="1.0.0f"/>
    <affects base="1.0.0" version="1.0.0g"/>
    <affects base="1.0.0" version="1.0.0i"/>
    <affects base="1.0.0" version="1.0.0j"/>
    <affects base="1.0.0" version="1.0.0k"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <fixed base="1.0.1" version="1.0.1f" date="20140106">
          <git hash="3462896"/>
    </fixed>
    <fixed base="1.0.0" version="1.0.0l" date="20140106"/>
    <reported source="Dmitry Sobinov"/>
    <description>
A flaw in DTLS handling can cause an application using OpenSSL and DTLS to crash.
This is not a vulnerability for OpenSSL prior to 1.0.0.
    </description>
  </issue>

 <issue public="20131214">
    <cve name="2013-6449"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <fixed base="1.0.1" version="1.0.1f" date="20140106">
            <git hash="ca98926"/>
    </fixed>
    <reported source="Ron Barber"/>
    <description>
A flaw in OpenSSL can cause an application using OpenSSL to crash when using TLS version 1.2.  
This issue only affected OpenSSL 1.0.1 versions.
    </description>
  </issue>

 <issue public="20140106">
   <cve name="2013-4353"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <fixed base="1.0.1" version="1.0.1f" date="20140106">
          <git hash="197e0ea817ad64820789d86711d55ff50d71f631"/>
    </fixed>
    <reported source="Anton Johansson"/>
    <description>
A carefully crafted invalid TLS handshake could crash OpenSSL with a NULL pointer exception.  A malicious
server could use this flaw to crash a connecting client.  This issue only affected OpenSSL 1.0.1 versions.
    </description>
  </issue>

  <issue public="20140214">
    <cve name="2014-0076"/>
    <advisory url="/news/secadv/20140605.txt"/>
    <affects base="0.9.8" version="0.9.8"/>
    <affects base="0.9.8" version="0.9.8a"/>
    <affects base="0.9.8" version="0.9.8b"/>
    <affects base="0.9.8" version="0.9.8c"/>
    <affects base="0.9.8" version="0.9.8d"/>
    <affects base="0.9.8" version="0.9.8e"/>
    <affects base="0.9.8" version="0.9.8f"/>
    <affects base="0.9.8" version="0.9.8g"/>
    <affects base="0.9.8" version="0.9.8h"/>
    <affects base="0.9.8" version="0.9.8i"/>
    <affects base="0.9.8" version="0.9.8j"/>
    <affects base="0.9.8" version="0.9.8k"/>
    <affects base="0.9.8" version="0.9.8l"/>
    <affects base="0.9.8" version="0.9.8m"/>
    <affects base="0.9.8" version="0.9.8n"/>
    <affects base="0.9.8" version="0.9.8o"/>
    <affects base="0.9.8" version="0.9.8p"/>
    <affects base="0.9.8" version="0.9.8q"/>
    <affects base="0.9.8" version="0.9.8r"/>
    <affects base="0.9.8" version="0.9.8s"/>
    <affects base="0.9.8" version="0.9.8t"/>
    <affects base="0.9.8" version="0.9.8u"/>
    <affects base="0.9.8" version="0.9.8v"/>
    <affects base="0.9.8" version="0.9.8w"/>
    <affects base="0.9.8" version="0.9.8x"/>
    <affects base="0.9.8" version="0.9.8y"/>
    <affects base="1.0.0" version="1.0.0"/>
    <affects base="1.0.0" version="1.0.0a"/>
    <affects base="1.0.0" version="1.0.0b"/>
    <affects base="1.0.0" version="1.0.0c"/>
    <affects base="1.0.0" version="1.0.0d"/>
    <affects base="1.0.0" version="1.0.0e"/>
    <affects base="1.0.0" version="1.0.0f"/>
    <affects base="1.0.0" version="1.0.0g"/>
    <affects base="1.0.0" version="1.0.0i"/>
    <affects base="1.0.0" version="1.0.0j"/>
    <affects base="1.0.0" version="1.0.0k"/>
    <affects base="1.0.0" version="1.0.0l"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <fixed base="1.0.1" version="1.0.1g" date="20140409">
          <git hash="4b7a4ba29cafa432fc4266fe6e59e60bc1c96332"/>
    </fixed>
    <fixed base="1.0.0" version="1.0.0m" date="20140312">
          <git hash="2198be3483259de374f91e57d247d0fc667aef29"/>
    </fixed>
    <fixed base="0.9.8" version="0.9.8za" date="20140605">
    </fixed>
    <reported source="Yuval Yarom and Naomi Benger"/>
    <description>
Fix for the attack described in the paper "Recovering OpenSSL
ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
    </description>
  </issue>

  <issue public="20140407">
    <cve name="2014-0160"/>
    <affects base="1.0.1" version="1.0.1"/>
    <affects base="1.0.1" version="1.0.1a"/>
    <affects base="1.0.1" version="1.0.1b"/>
    <affects base="1.0.1" version="1.0.1c"/>
    <affects base="1.0.1" version="1.0.1d"/>
    <affects base="1.0.1" version="1.0.1e"/>
    <affects base="1.0.1" version="1.0.1f"/>
    <fixed base="1.0.1" version="1.0.1g" date="20140409">
    </fixed>
    <advisory url="/news/secadv/20140407.txt"/>
    <reported source="Neel Mehta"/>
    <description>
A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64kB of memory to a connected client or server (a.k.a. Heartbleed).  This
issue did not affect versions of OpenSSL prior to 1.0.1.
    </description>
  </issue>

<issue public="20140605">
  <cve name="2014-0224"/>
  <affects base="0.9.8" version="0.9.8"/>
  <affects base="0.9.8" version="0.9.8a"/>
  <affects base="0.9.8" version="0.9.8b"/>
  <affects base="0.9.8" version="0.9.8c"/>
  <affects base="0.9.8" version="0.9.8d"/>
  <affects base="0.9.8" version="0.9.8e"/>
  <affects base="0.9.8" version="0.9.8f"/>
  <affects base="0.9.8" version="0.9.8g"/>
  <affects base="0.9.8" version="0.9.8h"/>
  <affects base="0.9.8" version="0.9.8i"/>
  <affects base="0.9.8" version="0.9.8j"/>
  <affects base="0.9.8" version="0.9.8k"/>
  <affects base="0.9.8" version="0.9.8l"/>
  <affects base="0.9.8" version="0.9.8m"/>
  <affects base="0.9.8" version="0.9.8n"/>
  <affects base="0.9.8" version="0.9.8o"/>
  <affects base="0.9.8" version="0.9.8p"/>
  <affects base="0.9.8" version="0.9.8q"/>
  <affects base="0.9.8" version="0.9.8r"/>
  <affects base="0.9.8" version="0.9.8s"/>
  <affects base="0.9.8" version="0.9.8t"/>
  <affects base="0.9.8" version="0.9.8u"/>
  <affects base="0.9.8" version="0.9.8v"/>
  <affects base="0.9.8" version="0.9.8w"/>
  <affects base="0.9.8" version="0.9.8x"/>
  <affects base="0.9.8" version="0.9.8y"/>
  <affects base="1.0.0" version="1.0.0"/>
  <affects base="1.0.0" version="1.0.0a"/>
  <affects base="1.0.0" version="1.0.0b"/>
  <affects base="1.0.0" version="1.0.0c"/>
  <affects base="1.0.0" version="1.0.0d"/>
  <affects base="1.0.0" version="1.0.0e"/>
  <affects base="1.0.0" version="1.0.0f"/>
  <affects base="1.0.0" version="1.0.0g"/>
  <affects base="1.0.0" version="1.0.0i"/>
  <affects base="1.0.0" version="1.0.0j"/>
  <affects base="1.0.0" version="1.0.0k"/>
  <affects base="1.0.0" version="1.0.0l"/>
  <affects base="1.0.1" version="1.0.1"/>
  <affects base="1.0.1" version="1.0.1a"/>
  <affects base="1.0.1" version="1.0.1b"/>
  <affects base="1.0.1" version="1.0.1c"/>
  <affects base="1.0.1" version="1.0.1d"/>
  <affects base="1.0.1" version="1.0.1e"/>
  <affects base="1.0.1" version="1.0.1f"/>
  <affects base="1.0.1" version="1.0.1g"/>
  <fixed base="1.0.1" version="1.0.1h" date="20140605">
  </fixed>
  <fixed base="1.0.0" version="1.0.0m" date="20140605">
  </fixed>
  <fixed base="0.9.8" version="0.9.8za" date="20140605">
  </fixed>
  <description>
    An attacker can force the use of weak
    keying material in OpenSSL SSL/TLS clients and servers. This can be exploited
    by a Man-in-the-middle (MITM) attack where the attacker can decrypt and 
    modify traffic from the attacked client and server.
  </description>
  <advisory url="/news/secadv/20140605.txt"/>
  <reported source="KIKUCHI Masashi (Lepidum Co. Ltd.)"/>
</issue>

<issue public="20140605">
  <cve name="2014-0221"/>
  <affects base="0.9.8" version="0.9.8"/>
  <affects base="0.9.8" version="0.9.8a"/>
  <affects base="0.9.8" version="0.9.8b"/>
  <affects base="0.9.8" version="0.9.8c"/>
  <affects base="0.9.8" version="0.9.8d"/>
  <affects base="0.9.8" version="0.9.8e"/>
  <affects base="0.9.8" version="0.9.8f"/>
  <affects base="0.9.8" version="0.9.8g"/>
  <affects base="0.9.8" version="0.9.8h"/>
  <affects base="0.9.8" version="0.9.8i"/>
  <affects base="0.9.8" version="0.9.8j"/>
  <affects base="0.9.8" version="0.9.8k"/>
  <affects base="0.9.8" version="0.9.8l"/>
  <affects base="0.9.8" version="0.9.8m"/>
  <affects base="0.9.8" version="0.9.8n"/>
  <affects base="0.9.8" version="0.9.8o"/>
  <affects base="0.9.8" version="0.9.8p"/>
  <affects base="0.9.8" version="0.9.8q"/>
  <affects base="0.9.8" version="0.9.8r"/>
  <affects base="0.9.8" version="0.9.8s"/>
  <affects base="0.9.8" version="0.9.8t"/>
  <affects base="0.9.8" version="0.9.8u"/>
  <affects base="0.9.8" version="0.9.8v"/>
  <affects base="0.9.8" version="0.9.8w"/>
  <affects base="0.9.8" version="0.9.8x"/>
  <affects base="0.9.8" version="0.9.8y"/>
  <affects base="1.0.0" version="1.0.0"/>
  <affects base="1.0.0" version="1.0.0a"/>
  <affects base="1.0.0" version="1.0.0b"/>
  <affects base="1.0.0" version="1.0.0c"/>
  <affects base="1.0.0" version="1.0.0d"/>
  <affects base="1.0.0" version="1.0.0e"/>
  <affects base="1.0.0" version="1.0.0f"/>
  <affects base="1.0.0" version="1.0.0g"/>
  <affects base="1.0.0" version="1.0.0i"/>
  <affects base="1.0.0" version="1.0.0j"/>
  <affects base="1.0.0" version="1.0.0k"/>
  <affects base="1.0.0" version="1.0.0l"/>
  <affects base="1.0.1" version="1.0.1"/>
  <affects base="1.0.1" version="1.0.1a"/>
  <affects base="1.0.1" version="1.0.1b"/>
  <affects base="1.0.1" version="1.0.1c"/>
  <affects base="1.0.1" version="1.0.1d"/>
  <affects base="1.0.1" version="1.0.1e"/>
  <affects base="1.0.1" version="1.0.1f"/>
  <affects base="1.0.1" version="1.0.1g"/>
  <fixed base="1.0.1" version="1.0.1h" date="20140605">
  </fixed>
  <fixed base="1.0.0" version="1.0.0m" date="20140605">
  </fixed>
  <fixed base="0.9.8" version="0.9.8za" date="20140605">
  </fixed>
  <description>By sending an invalid DTLS handshake to an OpenSSL DTLS client the code can be made to recurse eventually crashing in a DoS attack. Only applications using OpenSSL as a DTLS client are affected.</description>
  <advisory url="/news/secadv/20140605.txt"/>
  <reported source="Imre Rad (Search-Lab Ltd.)"/>
</issue>

<issue public="20140605">
  <cve name="2014-0195"/>
  <affects base="0.9.8" version="0.9.8o"/>
  <affects base="0.9.8" version="0.9.8p"/>
  <affects base="0.9.8" version="0.9.8q"/>
  <affects base="0.9.8" version="0.9.8r"/>
  <affects base="0.9.8" version="0.9.8s"/>
  <affects base="0.9.8" version="0.9.8t"/>
  <affects base="0.9.8" version="0.9.8u"/>
  <affects base="0.9.8" version="0.9.8v"/>
  <affects base="0.9.8" version="0.9.8w"/>
  <affects base="0.9.8" version="0.9.8x"/>
  <affects base="0.9.8" version="0.9.8y"/>
  <affects base="1.0.0" version="1.0.0"/>
  <affects base="1.0.0" version="1.0.0a"/>
  <affects base="1.0.0" version="1.0.0b"/>
  <affects base="1.0.0" version="1.0.0c"/>
  <affects base="1.0.0" version="1.0.0d"/>
  <affects base="1.0.0" version="1.0.0e"/>
  <affects base="1.0.0" version="1.0.0f"/>
  <affects base="1.0.0" version="1.0.0g"/>
  <affects base="1.0.0" version="1.0.0i"/>
  <affects base="1.0.0" version="1.0.0j"/>
  <affects base="1.0.0" version="1.0.0k"/>
  <affects base="1.0.0" version="1.0.0l"/>
  <affects base="1.0.1" version="1.0.1"/>
  <affects base="1.0.1" version="1.0.1a"/>
  <affects base="1.0.1" version="1.0.1b"/>
  <affects base="1.0.1" version="1.0.1c"/>
  <affects base="1.0.1" version="1.0.1d"/>
  <affects base="1.0.1" version="1.0.1e"/>
  <affects base="1.0.1" version="1.0.1f"/>
  <affects base="1.0.1" version="1.0.1g"/>
  <fixed base="1.0.1" version="1.0.1h" date="20140605">
  </fixed>
  <fixed base="1.0.0" version="1.0.0m" date="20140605">
  </fixed>
  <fixed base="0.9.8" version="0.9.8za" date="20140605">
  </fixed>
  <description>A buffer overrun attack can be triggered by sending invalid DTLS fragments
  to an OpenSSL DTLS client or server. This is potentially exploitable to
  run arbitrary code on a vulnerable client or server.  Only applications using OpenSSL as a DTLS client or server affected.
  </description>
  <advisory url="/news/secadv/20140605.txt"/>
  <reported source="Jüri Aedla"/>
</issue>

<issue public="20140421">
  <cve name="2014-0198"/>
  <affects base="1.0.0" version="1.0.0"/>
  <affects base="1.0.0" version="1.0.0a"/>
  <affects base="1.0.0" version="1.0.0b"/>
  <affects base="1.0.0" version="1.0.0c"/>
  <affects base="1.0.0" version="1.0.0d"/>
  <affects base="1.0.0" version="1.0.0e"/>
  <affects base="1.0.0" version="1.0.0f"/>
  <affects base="1.0.0" version="1.0.0g"/>
  <affects base="1.0.0" version="1.0.0i"/>
  <affects base="1.0.0" version="1.0.0j"/>
  <affects base="1.0.0" version="1.0.0k"/>
  <affects base="1.0.0" version="1.0.0l"/>
  <affects base="1.0.1" version="1.0.1"/>
  <affects base="1.0.1" version="1.0.1a"/>
  <affects base="1.0.1" version="1.0.1b"/>
  <affects base="1.0.1" version="1.0.1c"/>
  <affects base="1.0.1" version="1.0.1d"/>
  <affects base="1.0.1" version="1.0.1e"/>
  <affects base="1.0.1" version="1.0.1f"/>
  <affects base="1.0.1" version="1.0.1g"/>
  <fixed base="1.0.1" version="1.0.1h" date="20140605">
  </fixed>
  <fixed base="1.0.0" version="1.0.0m" date="20140605">
  </fixed>
  <description>A flaw in the do_ssl3_write function can allow remote attackers to
cause a denial of service via a NULL pointer dereference.  This flaw
only affects OpenSSL 1.0.0 and 1.0.1 where SSL_MODE_RELEASE_BUFFERS is
enabled, which is not the default and not common.</description>
  <advisory url="/news/secadv/20140605.txt"/>
</issue>

<issue public="20140408">
  <cve name="2010-5298"/>
  <affects base="1.0.0" version="1.0.0"/>
  <affects base="1.0.0" version="1.0.0a"/>
  <affects base="1.0.0" version="1.0.0b"/>
  <affects base="1.0.0" version="1.0.0c"/>
  <affects base="1.0.0" version="1.0.0d"/>
  <affects base="1.0.0" version="1.0.0e"/>
  <affects base="1.0.0" version="1.0.0f"/>
  <affects base="1.0.0" version="1.0.0g"/>
  <affects base="1.0.0" version="1.0.0i"/>
  <affects base="1.0.0" version="1.0.0j"/>
  <affects base="1.0.0" version="1.0.0k"/>
  <affects base="1.0.0" version="1.0.0l"/>
  <affects base="1.0.1" version="1.0.1"/>
  <affects base="1.0.1" version="1.0.1a"/>
  <affects base="1.0.1" version="1.0.1b"/>
  <affects base="1.0.1" version="1.0.1c"/>
  <affects base="1.0.1" version="1.0.1d"/>
  <affects base="1.0.1" version="1.0.1e"/>
  <affects base="1.0.1" version="1.0.1f"/>
  <affects base="1.0.1" version="1.0.1g"/>
  <fixed base="1.0.1" version="1.0.1h" date="20140605">
  </fixed>
  <fixed base="1.0.0" version="1.0.0m" date="20140605">
  </fixed>
  <description>A race condition in the ssl3_read_bytes function can allow remote
attackers to inject data across sessions or cause a denial of service.
This flaw only affects multithreaded applications using OpenSSL 1.0.0
and 1.0.1, where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the
default and not common.</description>
  <advisory url="/news/secadv/20140605.txt"/>
</issue>

<issue public="20140530">
  <cve name="2014-3470"/>
  <affects base="0.9.8" version="0.9.8"/>
  <affects base="0.9.8" version="0.9.8a"/>
  <affects base="0.9.8" version="0.9.8b"/>
  <affects base="0.9.8" version="0.9.8c"/>
  <affects base="0.9.8" version="0.9.8d"/>
  <affects base="0.9.8" version="0.9.8e"/>
  <affects base="0.9.8" version="0.9.8f"/>
  <affects base="0.9.8" version="0.9.8g"/>
  <affects base="0.9.8" version="0.9.8h"/>
  <affects base="0.9.8" version="0.9.8i"/>
  <affects base="0.9.8" version="0.9.8j"/>
  <affects base="0.9.8" version="0.9.8k"/>
  <affects base="0.9.8" version="0.9.8l"/>
  <affects base="0.9.8" version="0.9.8m"/>
  <affects base="0.9.8" version="0.9.8n"/>
  <affects base="0.9.8" version="0.9.8o"/>
  <affects base="0.9.8" version="0.9.8p"/>
  <affects base="0.9.8" version="0.9.8q"/>
  <affects base="0.9.8" version="0.9.8r"/>
  <affects base="0.9.8" version="0.9.8s"/>
  <affects base="0.9.8" version="0.9.8t"/>
  <affects base="0.9.8" version="0.9.8u"/>
  <affects base="0.9.8" version="0.9.8v"/>
  <affects base="0.9.8" version="0.9.8w"/>
  <affects base="0.9.8" version="0.9.8x"/>
  <affects base="0.9.8" version="0.9.8y"/>
  <affects base="1.0.0" version="1.0.0"/>
  <affects base="1.0.0" version="1.0.0a"/>
  <affects base="1.0.0" version="1.0.0b"/>
  <affects base="1.0.0" version="1.0.0c"/>
  <affects base="1.0.0" version="1.0.0d"/>
  <affects base="1.0.0" version="1.0.0e"/>
  <affects base="1.0.0" version="1.0.0f"/>
  <affects base="1.0.0" version="1.0.0g"/>
  <affects base="1.0.0" version="1.0.0i"/>
  <affects base="1.0.0" version="1.0.0j"/>
  <affects base="1.0.0" version="1.0.0k"/>
  <affects base="1.0.0" version="1.0.0l"/>
  <affects base="1.0.1" version="1.0.1"/>
  <affects base="1.0.1" version="1.0.1a"/>
  <affects base="1.0.1" version="1.0.1b"/>
  <affects base="1.0.1" version="1.0.1c"/>
  <affects base="1.0.1" version="1.0.1d"/>
  <affects base="1.0.1" version="1.0.1e"/>
  <affects base="1.0.1" version="1.0.1f"/>
  <affects base="1.0.1" version="1.0.1g"/>
  <fixed base="1.0.1" version="1.0.1h" date="20140605">
  </fixed>
  <fixed base="1.0.0" version="1.0.0m" date="20140605">
  </fixed>
  <fixed base="0.9.8" version="0.9.8za" date="20140605">
  </fixed>
  <description>OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a
  denial of service attack.</description>
  <reported source="Felix Gröbert and Ivan Fratrić (Google)"/>
  <advisory url="/news/secadv/20140605.txt"/>
</issue>

</security>