1 <!-- All security issues affecting OpenSSL since the release of:
8 <security updated="20150108">
9 <issue public="20150108">
10 <cve name="CVE-2014-3571"/>
11 <affects base="0.9.8" version="0.9.8"/>
12 <affects base="0.9.8" version="0.9.8a"/>
13 <affects base="0.9.8" version="0.9.8b"/>
14 <affects base="0.9.8" version="0.9.8c"/>
15 <affects base="0.9.8" version="0.9.8d"/>
16 <affects base="0.9.8" version="0.9.8e"/>
17 <affects base="0.9.8" version="0.9.8f"/>
18 <affects base="0.9.8" version="0.9.8g"/>
19 <affects base="0.9.8" version="0.9.8h"/>
20 <affects base="0.9.8" version="0.9.8i"/>
21 <affects base="0.9.8" version="0.9.8j"/>
22 <affects base="0.9.8" version="0.9.8k"/>
23 <affects base="0.9.8" version="0.9.8l"/>
24 <affects base="0.9.8" version="0.9.8m"/>
25 <affects base="0.9.8" version="0.9.8n"/>
26 <affects base="0.9.8" version="0.9.8o"/>
27 <affects base="0.9.8" version="0.9.8p"/>
28 <affects base="0.9.8" version="0.9.8q"/>
29 <affects base="0.9.8" version="0.9.8r"/>
30 <affects base="0.9.8" version="0.9.8s"/>
31 <affects base="0.9.8" version="0.9.8t"/>
32 <affects base="0.9.8" version="0.9.8u"/>
33 <affects base="0.9.8" version="0.9.8v"/>
34 <affects base="0.9.8" version="0.9.8w"/>
35 <affects base="0.9.8" version="0.9.8x"/>
36 <affects base="0.9.8" version="0.9.8y"/>
37 <affects base="0.9.8" version="0.9.8za"/>
38 <affects base="0.9.8" version="0.9.8zb"/>
39 <affects base="0.9.8" version="0.9.8zc"/>
40 <affects base="1.0.0" version="1.0.0"/>
41 <affects base="1.0.0" version="1.0.0a"/>
42 <affects base="1.0.0" version="1.0.0b"/>
43 <affects base="1.0.0" version="1.0.0c"/>
44 <affects base="1.0.0" version="1.0.0d"/>
45 <affects base="1.0.0" version="1.0.0e"/>
46 <affects base="1.0.0" version="1.0.0f"/>
47 <affects base="1.0.0" version="1.0.0g"/>
48 <affects base="1.0.0" version="1.0.0i"/>
49 <affects base="1.0.0" version="1.0.0j"/>
50 <affects base="1.0.0" version="1.0.0k"/>
51 <affects base="1.0.0" version="1.0.0l"/>
52 <affects base="1.0.0" version="1.0.0m"/>
53 <affects base="1.0.0" version="1.0.0n"/>
54 <affects base="1.0.0" version="1.0.0o"/>
55 <affects base="1.0.1" version="1.0.1"/>
56 <affects base="1.0.1" version="1.0.1a"/>
57 <affects base="1.0.1" version="1.0.1b"/>
58 <affects base="1.0.1" version="1.0.1c"/>
59 <affects base="1.0.1" version="1.0.1d"/>
60 <affects base="1.0.1" version="1.0.1e"/>
61 <affects base="1.0.1" version="1.0.1f"/>
62 <affects base="1.0.1" version="1.0.1g"/>
63 <affects base="1.0.1" version="1.0.1h"/>
64 <affects base="1.0.1" version="1.0.1i"/>
65 <affects base="1.0.1" version="1.0.1j"/>
66 <fixed base="1.0.1" version="1.0.1k" date="20150108"/>
67 <fixed base="1.0.0" version="1.0.0p" date="20150108"/>
68 <fixed base="0.9.8" version="0.9.8zd" date="20150108"/>
71 A carefully crafted DTLS message can cause a segmentation fault in OpenSSL
72 due to a NULL pointer dereference. This could lead to a Denial Of Service
75 <advisory url="http://www.openssl.org/news/secadv_20150108.txt"/>
76 <reported source="Markus Stenberg of Cisco Systems, Inc."/>
79 <issue public="20150108">
80 <cve name="CVE-2015-0206"/>
81 <affects base="1.0.0" version="1.0.0"/>
82 <affects base="1.0.0" version="1.0.0a"/>
83 <affects base="1.0.0" version="1.0.0b"/>
84 <affects base="1.0.0" version="1.0.0c"/>
85 <affects base="1.0.0" version="1.0.0d"/>
86 <affects base="1.0.0" version="1.0.0e"/>
87 <affects base="1.0.0" version="1.0.0f"/>
88 <affects base="1.0.0" version="1.0.0g"/>
89 <affects base="1.0.0" version="1.0.0i"/>
90 <affects base="1.0.0" version="1.0.0j"/>
91 <affects base="1.0.0" version="1.0.0k"/>
92 <affects base="1.0.0" version="1.0.0l"/>
93 <affects base="1.0.0" version="1.0.0m"/>
94 <affects base="1.0.0" version="1.0.0n"/>
95 <affects base="1.0.0" version="1.0.0o"/>
96 <affects base="1.0.1" version="1.0.1"/>
97 <affects base="1.0.1" version="1.0.1a"/>
98 <affects base="1.0.1" version="1.0.1b"/>
99 <affects base="1.0.1" version="1.0.1c"/>
100 <affects base="1.0.1" version="1.0.1d"/>
101 <affects base="1.0.1" version="1.0.1e"/>
102 <affects base="1.0.1" version="1.0.1f"/>
103 <affects base="1.0.1" version="1.0.1g"/>
104 <affects base="1.0.1" version="1.0.1h"/>
105 <affects base="1.0.1" version="1.0.1i"/>
106 <affects base="1.0.1" version="1.0.1j"/>
107 <fixed base="1.0.1" version="1.0.1k" date="20150108"/>
108 <fixed base="1.0.0" version="1.0.0p" date="20150108"/>
111 A memory leak can occur in the dtls1_buffer_record function under certain
112 conditions. In particular this could occur if an attacker sent repeated
113 DTLS records with the same sequence number but for the next epoch. The
114 memory leak could be exploited by an attacker in a Denial of Service
115 attack through memory exhaustion.
117 <advisory url="http://www.openssl.org/news/secadv_20150108.txt"/>
118 <reported source="Chris Mueller"/>
121 <issue public="20141021">
122 <cve name="CVE-2014-3569"/>
123 <affects base="0.9.8" version="0.9.8"/>
124 <affects base="0.9.8" version="0.9.8a"/>
125 <affects base="0.9.8" version="0.9.8b"/>
126 <affects base="0.9.8" version="0.9.8c"/>
127 <affects base="0.9.8" version="0.9.8d"/>
128 <affects base="0.9.8" version="0.9.8e"/>
129 <affects base="0.9.8" version="0.9.8f"/>
130 <affects base="0.9.8" version="0.9.8g"/>
131 <affects base="0.9.8" version="0.9.8h"/>
132 <affects base="0.9.8" version="0.9.8i"/>
133 <affects base="0.9.8" version="0.9.8j"/>
134 <affects base="0.9.8" version="0.9.8k"/>
135 <affects base="0.9.8" version="0.9.8l"/>
136 <affects base="0.9.8" version="0.9.8m"/>
137 <affects base="0.9.8" version="0.9.8n"/>
138 <affects base="0.9.8" version="0.9.8o"/>
139 <affects base="0.9.8" version="0.9.8p"/>
140 <affects base="0.9.8" version="0.9.8q"/>
141 <affects base="0.9.8" version="0.9.8r"/>
142 <affects base="0.9.8" version="0.9.8s"/>
143 <affects base="0.9.8" version="0.9.8t"/>
144 <affects base="0.9.8" version="0.9.8u"/>
145 <affects base="0.9.8" version="0.9.8v"/>
146 <affects base="0.9.8" version="0.9.8w"/>
147 <affects base="0.9.8" version="0.9.8x"/>
148 <affects base="0.9.8" version="0.9.8y"/>
149 <affects base="0.9.8" version="0.9.8za"/>
150 <affects base="0.9.8" version="0.9.8zb"/>
151 <affects base="0.9.8" version="0.9.8zc"/>
152 <affects base="1.0.0" version="1.0.0"/>
153 <affects base="1.0.0" version="1.0.0a"/>
154 <affects base="1.0.0" version="1.0.0b"/>
155 <affects base="1.0.0" version="1.0.0c"/>
156 <affects base="1.0.0" version="1.0.0d"/>
157 <affects base="1.0.0" version="1.0.0e"/>
158 <affects base="1.0.0" version="1.0.0f"/>
159 <affects base="1.0.0" version="1.0.0g"/>
160 <affects base="1.0.0" version="1.0.0i"/>
161 <affects base="1.0.0" version="1.0.0j"/>
162 <affects base="1.0.0" version="1.0.0k"/>
163 <affects base="1.0.0" version="1.0.0l"/>
164 <affects base="1.0.0" version="1.0.0m"/>
165 <affects base="1.0.0" version="1.0.0n"/>
166 <affects base="1.0.0" version="1.0.0o"/>
167 <affects base="1.0.1" version="1.0.1"/>
168 <affects base="1.0.1" version="1.0.1a"/>
169 <affects base="1.0.1" version="1.0.1b"/>
170 <affects base="1.0.1" version="1.0.1c"/>
171 <affects base="1.0.1" version="1.0.1d"/>
172 <affects base="1.0.1" version="1.0.1e"/>
173 <affects base="1.0.1" version="1.0.1f"/>
174 <affects base="1.0.1" version="1.0.1g"/>
175 <affects base="1.0.1" version="1.0.1h"/>
176 <affects base="1.0.1" version="1.0.1i"/>
177 <affects base="1.0.1" version="1.0.1j"/>
178 <fixed base="1.0.1" version="1.0.1k" date="20150108"/>
179 <fixed base="1.0.0" version="1.0.0p" date="20150108"/>
180 <fixed base="0.9.8" version="0.9.8zd" date="20150108"/>
183 When openssl is built with the no-ssl3 option and a SSL v3 ClientHello is
184 received the ssl method would be set to NULL which could later result in
185 a NULL pointer dereference.
187 <advisory url="http://www.openssl.org/news/secadv_20150108.txt"/>
188 <reported source="Frank Schmirler"/>
191 <issue public="20150105">
192 <cve name="CVE-2014-3572"/>
193 <affects base="0.9.8" version="0.9.8"/>
194 <affects base="0.9.8" version="0.9.8a"/>
195 <affects base="0.9.8" version="0.9.8b"/>
196 <affects base="0.9.8" version="0.9.8c"/>
197 <affects base="0.9.8" version="0.9.8d"/>
198 <affects base="0.9.8" version="0.9.8e"/>
199 <affects base="0.9.8" version="0.9.8f"/>
200 <affects base="0.9.8" version="0.9.8g"/>
201 <affects base="0.9.8" version="0.9.8h"/>
202 <affects base="0.9.8" version="0.9.8i"/>
203 <affects base="0.9.8" version="0.9.8j"/>
204 <affects base="0.9.8" version="0.9.8k"/>
205 <affects base="0.9.8" version="0.9.8l"/>
206 <affects base="0.9.8" version="0.9.8m"/>
207 <affects base="0.9.8" version="0.9.8n"/>
208 <affects base="0.9.8" version="0.9.8o"/>
209 <affects base="0.9.8" version="0.9.8p"/>
210 <affects base="0.9.8" version="0.9.8q"/>
211 <affects base="0.9.8" version="0.9.8r"/>
212 <affects base="0.9.8" version="0.9.8s"/>
213 <affects base="0.9.8" version="0.9.8t"/>
214 <affects base="0.9.8" version="0.9.8u"/>
215 <affects base="0.9.8" version="0.9.8v"/>
216 <affects base="0.9.8" version="0.9.8w"/>
217 <affects base="0.9.8" version="0.9.8x"/>
218 <affects base="0.9.8" version="0.9.8y"/>
219 <affects base="0.9.8" version="0.9.8za"/>
220 <affects base="0.9.8" version="0.9.8zb"/>
221 <affects base="0.9.8" version="0.9.8zc"/>
222 <affects base="1.0.0" version="1.0.0"/>
223 <affects base="1.0.0" version="1.0.0a"/>
224 <affects base="1.0.0" version="1.0.0b"/>
225 <affects base="1.0.0" version="1.0.0c"/>
226 <affects base="1.0.0" version="1.0.0d"/>
227 <affects base="1.0.0" version="1.0.0e"/>
228 <affects base="1.0.0" version="1.0.0f"/>
229 <affects base="1.0.0" version="1.0.0g"/>
230 <affects base="1.0.0" version="1.0.0i"/>
231 <affects base="1.0.0" version="1.0.0j"/>
232 <affects base="1.0.0" version="1.0.0k"/>
233 <affects base="1.0.0" version="1.0.0l"/>
234 <affects base="1.0.0" version="1.0.0m"/>
235 <affects base="1.0.0" version="1.0.0n"/>
236 <affects base="1.0.0" version="1.0.0o"/>
237 <affects base="1.0.1" version="1.0.1"/>
238 <affects base="1.0.1" version="1.0.1a"/>
239 <affects base="1.0.1" version="1.0.1b"/>
240 <affects base="1.0.1" version="1.0.1c"/>
241 <affects base="1.0.1" version="1.0.1d"/>
242 <affects base="1.0.1" version="1.0.1e"/>
243 <affects base="1.0.1" version="1.0.1f"/>
244 <affects base="1.0.1" version="1.0.1g"/>
245 <affects base="1.0.1" version="1.0.1h"/>
246 <affects base="1.0.1" version="1.0.1i"/>
247 <affects base="1.0.1" version="1.0.1j"/>
248 <fixed base="1.0.1" version="1.0.1k" date="20150108"/>
249 <fixed base="1.0.0" version="1.0.0p" date="20150108"/>
250 <fixed base="0.9.8" version="0.9.8zd" date="20150108"/>
253 An OpenSSL client will accept a handshake using an ephemeral ECDH
254 ciphersuite using an ECDSA certificate if the server key exchange message
255 is omitted. This effectively removes forward secrecy from the ciphersuite.
257 <advisory url="http://www.openssl.org/news/secadv_20150108.txt"/>
258 <reported source="Karthikeyan Bhargavan of the PROSECCO team at INRIA"/>
261 <issue public="20150106">
262 <cve name="CVE-2015-0204"/>
263 <affects base="0.9.8" version="0.9.8"/>
264 <affects base="0.9.8" version="0.9.8a"/>
265 <affects base="0.9.8" version="0.9.8b"/>
266 <affects base="0.9.8" version="0.9.8c"/>
267 <affects base="0.9.8" version="0.9.8d"/>
268 <affects base="0.9.8" version="0.9.8e"/>
269 <affects base="0.9.8" version="0.9.8f"/>
270 <affects base="0.9.8" version="0.9.8g"/>
271 <affects base="0.9.8" version="0.9.8h"/>
272 <affects base="0.9.8" version="0.9.8i"/>
273 <affects base="0.9.8" version="0.9.8j"/>
274 <affects base="0.9.8" version="0.9.8k"/>
275 <affects base="0.9.8" version="0.9.8l"/>
276 <affects base="0.9.8" version="0.9.8m"/>
277 <affects base="0.9.8" version="0.9.8n"/>
278 <affects base="0.9.8" version="0.9.8o"/>
279 <affects base="0.9.8" version="0.9.8p"/>
280 <affects base="0.9.8" version="0.9.8q"/>
281 <affects base="0.9.8" version="0.9.8r"/>
282 <affects base="0.9.8" version="0.9.8s"/>
283 <affects base="0.9.8" version="0.9.8t"/>
284 <affects base="0.9.8" version="0.9.8u"/>
285 <affects base="0.9.8" version="0.9.8v"/>
286 <affects base="0.9.8" version="0.9.8w"/>
287 <affects base="0.9.8" version="0.9.8x"/>
288 <affects base="0.9.8" version="0.9.8y"/>
289 <affects base="0.9.8" version="0.9.8za"/>
290 <affects base="0.9.8" version="0.9.8zb"/>
291 <affects base="0.9.8" version="0.9.8zc"/>
292 <affects base="1.0.0" version="1.0.0"/>
293 <affects base="1.0.0" version="1.0.0a"/>
294 <affects base="1.0.0" version="1.0.0b"/>
295 <affects base="1.0.0" version="1.0.0c"/>
296 <affects base="1.0.0" version="1.0.0d"/>
297 <affects base="1.0.0" version="1.0.0e"/>
298 <affects base="1.0.0" version="1.0.0f"/>
299 <affects base="1.0.0" version="1.0.0g"/>
300 <affects base="1.0.0" version="1.0.0i"/>
301 <affects base="1.0.0" version="1.0.0j"/>
302 <affects base="1.0.0" version="1.0.0k"/>
303 <affects base="1.0.0" version="1.0.0l"/>
304 <affects base="1.0.0" version="1.0.0m"/>
305 <affects base="1.0.0" version="1.0.0n"/>
306 <affects base="1.0.0" version="1.0.0o"/>
307 <affects base="1.0.1" version="1.0.1"/>
308 <affects base="1.0.1" version="1.0.1a"/>
309 <affects base="1.0.1" version="1.0.1b"/>
310 <affects base="1.0.1" version="1.0.1c"/>
311 <affects base="1.0.1" version="1.0.1d"/>
312 <affects base="1.0.1" version="1.0.1e"/>
313 <affects base="1.0.1" version="1.0.1f"/>
314 <affects base="1.0.1" version="1.0.1g"/>
315 <affects base="1.0.1" version="1.0.1h"/>
316 <affects base="1.0.1" version="1.0.1i"/>
317 <affects base="1.0.1" version="1.0.1j"/>
318 <fixed base="1.0.1" version="1.0.1k" date="20150108"/>
319 <fixed base="1.0.0" version="1.0.0p" date="20150108"/>
320 <fixed base="0.9.8" version="0.9.8zd" date="20150108"/>
323 An OpenSSL client will accept the use of an RSA temporary key in a
324 non-export RSA key exchange ciphersuite. A server could present a weak
325 temporary key and downgrade the security of the session.
327 <advisory url="http://www.openssl.org/news/secadv_20150108.txt"/>
328 <reported source="Karthikeyan Bhargavan of the PROSECCO team at INRIA"/>
331 <issue public="20150108">
332 <cve name="CVE-2015-0205"/>
333 <affects base="1.0.0" version="1.0.0"/>
334 <affects base="1.0.0" version="1.0.0a"/>
335 <affects base="1.0.0" version="1.0.0b"/>
336 <affects base="1.0.0" version="1.0.0c"/>
337 <affects base="1.0.0" version="1.0.0d"/>
338 <affects base="1.0.0" version="1.0.0e"/>
339 <affects base="1.0.0" version="1.0.0f"/>
340 <affects base="1.0.0" version="1.0.0g"/>
341 <affects base="1.0.0" version="1.0.0i"/>
342 <affects base="1.0.0" version="1.0.0j"/>
343 <affects base="1.0.0" version="1.0.0k"/>
344 <affects base="1.0.0" version="1.0.0l"/>
345 <affects base="1.0.0" version="1.0.0m"/>
346 <affects base="1.0.0" version="1.0.0n"/>
347 <affects base="1.0.0" version="1.0.0o"/>
348 <affects base="1.0.1" version="1.0.1"/>
349 <affects base="1.0.1" version="1.0.1a"/>
350 <affects base="1.0.1" version="1.0.1b"/>
351 <affects base="1.0.1" version="1.0.1c"/>
352 <affects base="1.0.1" version="1.0.1d"/>
353 <affects base="1.0.1" version="1.0.1e"/>
354 <affects base="1.0.1" version="1.0.1f"/>
355 <affects base="1.0.1" version="1.0.1g"/>
356 <affects base="1.0.1" version="1.0.1h"/>
357 <affects base="1.0.1" version="1.0.1i"/>
358 <affects base="1.0.1" version="1.0.1j"/>
359 <fixed base="1.0.1" version="1.0.1k" date="20150108"/>
360 <fixed base="1.0.0" version="1.0.0p" date="20150108"/>
363 An OpenSSL server will accept a DH certificate for client authentication
364 without the certificate verify message. This effectively allows a client
365 to authenticate without the use of a private key. This only affects
366 servers which trust a client certificate authority which issues
367 certificates containing DH keys: these are extremely rare and hardly ever
370 <advisory url="http://www.openssl.org/news/secadv_20150108.txt"/>
371 <reported source="Karthikeyan Bhargavan of the PROSECCO team at INRIA"/>
374 <issue public="20150105">
375 <cve name="CVE-2014-8275"/>
376 <affects base="0.9.8" version="0.9.8"/>
377 <affects base="0.9.8" version="0.9.8a"/>
378 <affects base="0.9.8" version="0.9.8b"/>
379 <affects base="0.9.8" version="0.9.8c"/>
380 <affects base="0.9.8" version="0.9.8d"/>
381 <affects base="0.9.8" version="0.9.8e"/>
382 <affects base="0.9.8" version="0.9.8f"/>
383 <affects base="0.9.8" version="0.9.8g"/>
384 <affects base="0.9.8" version="0.9.8h"/>
385 <affects base="0.9.8" version="0.9.8i"/>
386 <affects base="0.9.8" version="0.9.8j"/>
387 <affects base="0.9.8" version="0.9.8k"/>
388 <affects base="0.9.8" version="0.9.8l"/>
389 <affects base="0.9.8" version="0.9.8m"/>
390 <affects base="0.9.8" version="0.9.8n"/>
391 <affects base="0.9.8" version="0.9.8o"/>
392 <affects base="0.9.8" version="0.9.8p"/>
393 <affects base="0.9.8" version="0.9.8q"/>
394 <affects base="0.9.8" version="0.9.8r"/>
395 <affects base="0.9.8" version="0.9.8s"/>
396 <affects base="0.9.8" version="0.9.8t"/>
397 <affects base="0.9.8" version="0.9.8u"/>
398 <affects base="0.9.8" version="0.9.8v"/>
399 <affects base="0.9.8" version="0.9.8w"/>
400 <affects base="0.9.8" version="0.9.8x"/>
401 <affects base="0.9.8" version="0.9.8y"/>
402 <affects base="0.9.8" version="0.9.8za"/>
403 <affects base="0.9.8" version="0.9.8zb"/>
404 <affects base="0.9.8" version="0.9.8zc"/>
405 <affects base="1.0.0" version="1.0.0"/>
406 <affects base="1.0.0" version="1.0.0a"/>
407 <affects base="1.0.0" version="1.0.0b"/>
408 <affects base="1.0.0" version="1.0.0c"/>
409 <affects base="1.0.0" version="1.0.0d"/>
410 <affects base="1.0.0" version="1.0.0e"/>
411 <affects base="1.0.0" version="1.0.0f"/>
412 <affects base="1.0.0" version="1.0.0g"/>
413 <affects base="1.0.0" version="1.0.0i"/>
414 <affects base="1.0.0" version="1.0.0j"/>
415 <affects base="1.0.0" version="1.0.0k"/>
416 <affects base="1.0.0" version="1.0.0l"/>
417 <affects base="1.0.0" version="1.0.0m"/>
418 <affects base="1.0.0" version="1.0.0n"/>
419 <affects base="1.0.0" version="1.0.0o"/>
420 <affects base="1.0.1" version="1.0.1"/>
421 <affects base="1.0.1" version="1.0.1a"/>
422 <affects base="1.0.1" version="1.0.1b"/>
423 <affects base="1.0.1" version="1.0.1c"/>
424 <affects base="1.0.1" version="1.0.1d"/>
425 <affects base="1.0.1" version="1.0.1e"/>
426 <affects base="1.0.1" version="1.0.1f"/>
427 <affects base="1.0.1" version="1.0.1g"/>
428 <affects base="1.0.1" version="1.0.1h"/>
429 <affects base="1.0.1" version="1.0.1i"/>
430 <affects base="1.0.1" version="1.0.1j"/>
431 <fixed base="1.0.1" version="1.0.1k" date="20150108"/>
432 <fixed base="1.0.0" version="1.0.0p" date="20150108"/>
433 <fixed base="0.9.8" version="0.9.8zd" date="20150108"/>
436 OpenSSL accepts several non-DER-variations of certificate signature
437 algorithm and signature encodings. OpenSSL also does not enforce a
438 match between the signature algorithm between the signed and unsigned
439 portions of the certificate. By modifying the contents of the
440 signature algorithm or the encoding of the signature, it is possible
441 to change the certificate's fingerprint.
443 This does not allow an attacker to forge certificates, and does not
444 affect certificate verification or OpenSSL servers/clients in any other
445 way. It also does not affect common revocation mechanisms. Only custom
446 applications that rely on the uniqueness of the fingerprint (e.g.
447 certificate blacklists) may be affected.
449 <advisory url="http://www.openssl.org/news/secadv_20150108.txt"/>
450 <reported source="Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS program/Konrad Kraszewski from Google"/>
453 <issue public="20150108">
454 <cve name="CVE-2014-3570"/>
455 <affects base="0.9.8" version="0.9.8"/>
456 <affects base="0.9.8" version="0.9.8a"/>
457 <affects base="0.9.8" version="0.9.8b"/>
458 <affects base="0.9.8" version="0.9.8c"/>
459 <affects base="0.9.8" version="0.9.8d"/>
460 <affects base="0.9.8" version="0.9.8e"/>
461 <affects base="0.9.8" version="0.9.8f"/>
462 <affects base="0.9.8" version="0.9.8g"/>
463 <affects base="0.9.8" version="0.9.8h"/>
464 <affects base="0.9.8" version="0.9.8i"/>
465 <affects base="0.9.8" version="0.9.8j"/>
466 <affects base="0.9.8" version="0.9.8k"/>
467 <affects base="0.9.8" version="0.9.8l"/>
468 <affects base="0.9.8" version="0.9.8m"/>
469 <affects base="0.9.8" version="0.9.8n"/>
470 <affects base="0.9.8" version="0.9.8o"/>
471 <affects base="0.9.8" version="0.9.8p"/>
472 <affects base="0.9.8" version="0.9.8q"/>
473 <affects base="0.9.8" version="0.9.8r"/>
474 <affects base="0.9.8" version="0.9.8s"/>
475 <affects base="0.9.8" version="0.9.8t"/>
476 <affects base="0.9.8" version="0.9.8u"/>
477 <affects base="0.9.8" version="0.9.8v"/>
478 <affects base="0.9.8" version="0.9.8w"/>
479 <affects base="0.9.8" version="0.9.8x"/>
480 <affects base="0.9.8" version="0.9.8y"/>
481 <affects base="0.9.8" version="0.9.8za"/>
482 <affects base="0.9.8" version="0.9.8zb"/>
483 <affects base="0.9.8" version="0.9.8zc"/>
484 <affects base="1.0.0" version="1.0.0"/>
485 <affects base="1.0.0" version="1.0.0a"/>
486 <affects base="1.0.0" version="1.0.0b"/>
487 <affects base="1.0.0" version="1.0.0c"/>
488 <affects base="1.0.0" version="1.0.0d"/>
489 <affects base="1.0.0" version="1.0.0e"/>
490 <affects base="1.0.0" version="1.0.0f"/>
491 <affects base="1.0.0" version="1.0.0g"/>
492 <affects base="1.0.0" version="1.0.0i"/>
493 <affects base="1.0.0" version="1.0.0j"/>
494 <affects base="1.0.0" version="1.0.0k"/>
495 <affects base="1.0.0" version="1.0.0l"/>
496 <affects base="1.0.0" version="1.0.0m"/>
497 <affects base="1.0.0" version="1.0.0n"/>
498 <affects base="1.0.0" version="1.0.0o"/>
499 <affects base="1.0.1" version="1.0.1"/>
500 <affects base="1.0.1" version="1.0.1a"/>
501 <affects base="1.0.1" version="1.0.1b"/>
502 <affects base="1.0.1" version="1.0.1c"/>
503 <affects base="1.0.1" version="1.0.1d"/>
504 <affects base="1.0.1" version="1.0.1e"/>
505 <affects base="1.0.1" version="1.0.1f"/>
506 <affects base="1.0.1" version="1.0.1g"/>
507 <affects base="1.0.1" version="1.0.1h"/>
508 <affects base="1.0.1" version="1.0.1i"/>
509 <affects base="1.0.1" version="1.0.1j"/>
510 <fixed base="1.0.1" version="1.0.1k" date="20150108"/>
511 <fixed base="1.0.0" version="1.0.0p" date="20150108"/>
512 <fixed base="0.9.8" version="0.9.8zd" date="20150108"/>
515 Bignum squaring (BN_sqr) may produce incorrect results on some platforms,
516 including x86_64. This bug occurs at random with a very low probability,
517 and is not known to be exploitable in any way, though its exact impact is
518 difficult to determine. The following has been determined:
520 *) The probability of BN_sqr producing an incorrect result at random is
521 very low: 1/2^64 on the single affected 32-bit platform (MIPS) and 1/2^128
522 on affected 64-bit platforms.
523 *) On most platforms, RSA follows a different code path and RSA operations
524 are not affected at all. For the remaining platforms (e.g. OpenSSL built
525 without assembly support), pre-existing countermeasures thwart bug
527 *) Static ECDH is theoretically affected: it is possible to construct
528 elliptic curve points that would falsely appear to be on the given curve.
529 However, there is no known computationally feasible way to construct such
530 points with low order, and so the security of static ECDH private keys is
531 believed to be unaffected.
532 *) Other routines known to be theoretically affected are modular
533 exponentiation, primality testing, DSA, RSA blinding, JPAKE and SRP. No
534 exploits are known and straightforward bug attacks fail - either the
535 attacker cannot control when the bug triggers, or no private key material
538 <advisory url="http://www.openssl.org/news/secadv_20150108.txt"/>
539 <reported source="Pieter Wuille (Blockstream)"/>
542 <issue public="20141015">
543 <cve name="2014-3513"/>
544 <affects base="1.0.1" version="1.0.1"/>
545 <affects base="1.0.1" version="1.0.1a"/>
546 <affects base="1.0.1" version="1.0.1b"/>
547 <affects base="1.0.1" version="1.0.1c"/>
548 <affects base="1.0.1" version="1.0.1d"/>
549 <affects base="1.0.1" version="1.0.1e"/>
550 <affects base="1.0.1" version="1.0.1f"/>
551 <affects base="1.0.1" version="1.0.1g"/>
552 <affects base="1.0.1" version="1.0.1h"/>
553 <affects base="1.0.1" version="1.0.1i"/>
554 <fixed base="1.0.1" version="1.0.1j" date="20141015"/>
556 A flaw in the DTLS SRTP extension parsing code allows an attacker, who
557 sends a carefully crafted handshake message, to cause OpenSSL to fail
558 to free up to 64k of memory causing a memory leak. This could be
559 exploited in a Denial Of Service attack. This issue affects OpenSSL
560 1.0.1 server implementations for both SSL/TLS and DTLS regardless of
561 whether SRTP is used or configured. Implementations of OpenSSL that
562 have been compiled with OPENSSL_NO_SRTP defined are not affected.
564 <advisory url="http://www.openssl.org/news/secadv_20141015.txt"/>
565 <reported source="LibreSSL project"/>
568 <issue public="20141015">
569 <cve name="2014-3567"/>
570 <affects base="0.9.8" version="0.9.8g"/>
571 <affects base="0.9.8" version="0.9.8h"/>
572 <affects base="0.9.8" version="0.9.8i"/>
573 <affects base="0.9.8" version="0.9.8j"/>
574 <affects base="0.9.8" version="0.9.8k"/>
575 <affects base="0.9.8" version="0.9.8l"/>
576 <affects base="0.9.8" version="0.9.8m"/>
577 <affects base="0.9.8" version="0.9.8n"/>
578 <affects base="0.9.8" version="0.9.8o"/>
579 <affects base="0.9.8" version="0.9.8p"/>
580 <affects base="0.9.8" version="0.9.8q"/>
581 <affects base="0.9.8" version="0.9.8r"/>
582 <affects base="0.9.8" version="0.9.8s"/>
583 <affects base="0.9.8" version="0.9.8t"/>
584 <affects base="0.9.8" version="0.9.8u"/>
585 <affects base="0.9.8" version="0.9.8v"/>
586 <affects base="0.9.8" version="0.9.8w"/>
587 <affects base="0.9.8" version="0.9.8x"/>
588 <affects base="0.9.8" version="0.9.8y"/>
589 <affects base="0.9.8" version="0.9.8za"/>
590 <affects base="0.9.8" version="0.9.8zb"/>
591 <affects base="1.0.0" version="1.0.0"/>
592 <affects base="1.0.0" version="1.0.0a"/>
593 <affects base="1.0.0" version="1.0.0b"/>
594 <affects base="1.0.0" version="1.0.0c"/>
595 <affects base="1.0.0" version="1.0.0d"/>
596 <affects base="1.0.0" version="1.0.0e"/>
597 <affects base="1.0.0" version="1.0.0f"/>
598 <affects base="1.0.0" version="1.0.0g"/>
599 <affects base="1.0.0" version="1.0.0i"/>
600 <affects base="1.0.0" version="1.0.0j"/>
601 <affects base="1.0.0" version="1.0.0k"/>
602 <affects base="1.0.0" version="1.0.0l"/>
603 <affects base="1.0.0" version="1.0.0m"/>
604 <affects base="1.0.0" version="1.0.0n"/>
605 <affects base="1.0.1" version="1.0.1"/>
606 <affects base="1.0.1" version="1.0.1a"/>
607 <affects base="1.0.1" version="1.0.1b"/>
608 <affects base="1.0.1" version="1.0.1c"/>
609 <affects base="1.0.1" version="1.0.1d"/>
610 <affects base="1.0.1" version="1.0.1e"/>
611 <affects base="1.0.1" version="1.0.1f"/>
612 <affects base="1.0.1" version="1.0.1g"/>
613 <affects base="1.0.1" version="1.0.1h"/>
614 <affects base="1.0.1" version="1.0.1i"/>
615 <fixed base="1.0.1" version="1.0.1j" date="20140806"/>
616 <fixed base="1.0.0" version="1.0.0o" date="20140806"/>
617 <fixed base="0.9.8" version="0.9.8zc" date="20140806"/>
619 When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
620 integrity of that ticket is first verified. In the event of a session
621 ticket integrity check failing, OpenSSL will fail to free memory
622 causing a memory leak. By sending a large number of invalid session
623 tickets an attacker could exploit this issue in a Denial Of Service
626 <advisory url="http://www.openssl.org/news/secadv_20141015.txt"/>
628 <issue public="20141015">
629 <cve name=""/> <!-- this is deliberate -->
630 <affects base="0.9.8" version="0.9.8"/>
631 <affects base="0.9.8" version="0.9.8a"/>
632 <affects base="0.9.8" version="0.9.8b"/>
633 <affects base="0.9.8" version="0.9.8c"/>
634 <affects base="0.9.8" version="0.9.8d"/>
635 <affects base="0.9.8" version="0.9.8e"/>
636 <affects base="0.9.8" version="0.9.8f"/>
637 <affects base="0.9.8" version="0.9.8g"/>
638 <affects base="0.9.8" version="0.9.8h"/>
639 <affects base="0.9.8" version="0.9.8i"/>
640 <affects base="0.9.8" version="0.9.8j"/>
641 <affects base="0.9.8" version="0.9.8k"/>
642 <affects base="0.9.8" version="0.9.8l"/>
643 <affects base="0.9.8" version="0.9.8m"/>
644 <affects base="0.9.8" version="0.9.8n"/>
645 <affects base="0.9.8" version="0.9.8o"/>
646 <affects base="0.9.8" version="0.9.8p"/>
647 <affects base="0.9.8" version="0.9.8q"/>
648 <affects base="0.9.8" version="0.9.8r"/>
649 <affects base="0.9.8" version="0.9.8s"/>
650 <affects base="0.9.8" version="0.9.8t"/>
651 <affects base="0.9.8" version="0.9.8u"/>
652 <affects base="0.9.8" version="0.9.8v"/>
653 <affects base="0.9.8" version="0.9.8w"/>
654 <affects base="0.9.8" version="0.9.8x"/>
655 <affects base="0.9.8" version="0.9.8y"/>
656 <affects base="0.9.8" version="0.9.8za"/>
657 <affects base="0.9.8" version="0.9.8zb"/>
658 <affects base="1.0.0" version="1.0.0"/>
659 <affects base="1.0.0" version="1.0.0a"/>
660 <affects base="1.0.0" version="1.0.0b"/>
661 <affects base="1.0.0" version="1.0.0c"/>
662 <affects base="1.0.0" version="1.0.0d"/>
663 <affects base="1.0.0" version="1.0.0e"/>
664 <affects base="1.0.0" version="1.0.0f"/>
665 <affects base="1.0.0" version="1.0.0g"/>
666 <affects base="1.0.0" version="1.0.0i"/>
667 <affects base="1.0.0" version="1.0.0j"/>
668 <affects base="1.0.0" version="1.0.0k"/>
669 <affects base="1.0.0" version="1.0.0l"/>
670 <affects base="1.0.0" version="1.0.0m"/>
671 <affects base="1.0.0" version="1.0.0n"/>
672 <affects base="1.0.1" version="1.0.1"/>
673 <affects base="1.0.1" version="1.0.1a"/>
674 <affects base="1.0.1" version="1.0.1b"/>
675 <affects base="1.0.1" version="1.0.1c"/>
676 <affects base="1.0.1" version="1.0.1d"/>
677 <affects base="1.0.1" version="1.0.1e"/>
678 <affects base="1.0.1" version="1.0.1f"/>
679 <affects base="1.0.1" version="1.0.1g"/>
680 <affects base="1.0.1" version="1.0.1h"/>
681 <affects base="1.0.1" version="1.0.1i"/>
682 <fixed base="1.0.1" version="1.0.1j" date="20140806"/>
683 <fixed base="1.0.0" version="1.0.0o" date="20140806"/>
684 <fixed base="0.9.8" version="0.9.8zc" date="20140806"/>
686 OpenSSL has added support for TLS_FALLBACK_SCSV to allow applications
687 to block the ability for a MITM attacker to force a protocol
690 Some client applications (such as browsers) will reconnect using a
691 downgraded protocol to work around interoperability bugs in older
692 servers. This could be exploited by an active man-in-the-middle to
693 downgrade connections to SSL 3.0 even if both sides of the connection
694 support higher protocols. SSL 3.0 contains a number of weaknesses
695 including POODLE (CVE-2014-3566).
698 https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00 and
699 https://www.openssl.org/~bodo/ssl-poodle.pdf
703 <issue public="20141015">
704 <cve name="2014-3568"/>
705 <affects base="0.9.8" version="0.9.8"/>
706 <affects base="0.9.8" version="0.9.8a"/>
707 <affects base="0.9.8" version="0.9.8b"/>
708 <affects base="0.9.8" version="0.9.8c"/>
709 <affects base="0.9.8" version="0.9.8d"/>
710 <affects base="0.9.8" version="0.9.8e"/>
711 <affects base="0.9.8" version="0.9.8f"/>
712 <affects base="0.9.8" version="0.9.8g"/>
713 <affects base="0.9.8" version="0.9.8h"/>
714 <affects base="0.9.8" version="0.9.8i"/>
715 <affects base="0.9.8" version="0.9.8j"/>
716 <affects base="0.9.8" version="0.9.8k"/>
717 <affects base="0.9.8" version="0.9.8l"/>
718 <affects base="0.9.8" version="0.9.8m"/>
719 <affects base="0.9.8" version="0.9.8n"/>
720 <affects base="0.9.8" version="0.9.8o"/>
721 <affects base="0.9.8" version="0.9.8p"/>
722 <affects base="0.9.8" version="0.9.8q"/>
723 <affects base="0.9.8" version="0.9.8r"/>
724 <affects base="0.9.8" version="0.9.8s"/>
725 <affects base="0.9.8" version="0.9.8t"/>
726 <affects base="0.9.8" version="0.9.8u"/>
727 <affects base="0.9.8" version="0.9.8v"/>
728 <affects base="0.9.8" version="0.9.8w"/>
729 <affects base="0.9.8" version="0.9.8x"/>
730 <affects base="0.9.8" version="0.9.8y"/>
731 <affects base="0.9.8" version="0.9.8za"/>
732 <affects base="0.9.8" version="0.9.8zb"/>
733 <affects base="1.0.0" version="1.0.0"/>
734 <affects base="1.0.0" version="1.0.0a"/>
735 <affects base="1.0.0" version="1.0.0b"/>
736 <affects base="1.0.0" version="1.0.0c"/>
737 <affects base="1.0.0" version="1.0.0d"/>
738 <affects base="1.0.0" version="1.0.0e"/>
739 <affects base="1.0.0" version="1.0.0f"/>
740 <affects base="1.0.0" version="1.0.0g"/>
741 <affects base="1.0.0" version="1.0.0i"/>
742 <affects base="1.0.0" version="1.0.0j"/>
743 <affects base="1.0.0" version="1.0.0k"/>
744 <affects base="1.0.0" version="1.0.0l"/>
745 <affects base="1.0.0" version="1.0.0m"/>
746 <affects base="1.0.0" version="1.0.0n"/>
747 <affects base="1.0.1" version="1.0.1"/>
748 <affects base="1.0.1" version="1.0.1a"/>
749 <affects base="1.0.1" version="1.0.1b"/>
750 <affects base="1.0.1" version="1.0.1c"/>
751 <affects base="1.0.1" version="1.0.1d"/>
752 <affects base="1.0.1" version="1.0.1e"/>
753 <affects base="1.0.1" version="1.0.1f"/>
754 <affects base="1.0.1" version="1.0.1g"/>
755 <affects base="1.0.1" version="1.0.1h"/>
756 <affects base="1.0.1" version="1.0.1i"/>
757 <fixed base="1.0.1" version="1.0.1j" date="20140806"/>
758 <fixed base="1.0.0" version="1.0.0o" date="20140806"/>
759 <fixed base="0.9.8" version="0.9.8zc" date="20140806"/>
762 When OpenSSL is configured with "no-ssl3" as a build option, servers
763 could accept and complete a SSL 3.0 handshake, and clients could be
764 configured to send them.
766 <advisory url="http://www.openssl.org/news/secadv_20141015.txt"/>
767 <reported source="Akamai Technologies"/>
769 <issue public="20140806">
770 <cve name="2014-3508"/>
771 <affects base="0.9.8" version="0.9.8"/>
772 <affects base="0.9.8" version="0.9.8a"/>
773 <affects base="0.9.8" version="0.9.8b"/>
774 <affects base="0.9.8" version="0.9.8c"/>
775 <affects base="0.9.8" version="0.9.8d"/>
776 <affects base="0.9.8" version="0.9.8e"/>
777 <affects base="0.9.8" version="0.9.8f"/>
778 <affects base="0.9.8" version="0.9.8g"/>
779 <affects base="0.9.8" version="0.9.8h"/>
780 <affects base="0.9.8" version="0.9.8i"/>
781 <affects base="0.9.8" version="0.9.8j"/>
782 <affects base="0.9.8" version="0.9.8k"/>
783 <affects base="0.9.8" version="0.9.8l"/>
784 <affects base="0.9.8" version="0.9.8m"/>
785 <affects base="0.9.8" version="0.9.8n"/>
786 <affects base="0.9.8" version="0.9.8o"/>
787 <affects base="0.9.8" version="0.9.8p"/>
788 <affects base="0.9.8" version="0.9.8q"/>
789 <affects base="0.9.8" version="0.9.8r"/>
790 <affects base="0.9.8" version="0.9.8s"/>
791 <affects base="0.9.8" version="0.9.8t"/>
792 <affects base="0.9.8" version="0.9.8u"/>
793 <affects base="0.9.8" version="0.9.8v"/>
794 <affects base="0.9.8" version="0.9.8w"/>
795 <affects base="0.9.8" version="0.9.8x"/>
796 <affects base="0.9.8" version="0.9.8y"/>
797 <affects base="0.9.8" version="0.9.8za"/>
798 <affects base="1.0.0" version="1.0.0"/>
799 <affects base="1.0.0" version="1.0.0a"/>
800 <affects base="1.0.0" version="1.0.0b"/>
801 <affects base="1.0.0" version="1.0.0c"/>
802 <affects base="1.0.0" version="1.0.0d"/>
803 <affects base="1.0.0" version="1.0.0e"/>
804 <affects base="1.0.0" version="1.0.0f"/>
805 <affects base="1.0.0" version="1.0.0g"/>
806 <affects base="1.0.0" version="1.0.0i"/>
807 <affects base="1.0.0" version="1.0.0j"/>
808 <affects base="1.0.0" version="1.0.0k"/>
809 <affects base="1.0.0" version="1.0.0l"/>
810 <affects base="1.0.0" version="1.0.0m"/>
811 <affects base="1.0.1" version="1.0.1"/>
812 <affects base="1.0.1" version="1.0.1a"/>
813 <affects base="1.0.1" version="1.0.1b"/>
814 <affects base="1.0.1" version="1.0.1c"/>
815 <affects base="1.0.1" version="1.0.1d"/>
816 <affects base="1.0.1" version="1.0.1e"/>
817 <affects base="1.0.1" version="1.0.1f"/>
818 <affects base="1.0.1" version="1.0.1g"/>
819 <affects base="1.0.1" version="1.0.1h"/>
820 <fixed base="1.0.1" version="1.0.1i" date="20140806">
822 <fixed base="1.0.0" version="1.0.0n" date="20140806">
824 <fixed base="0.9.8" version="0.9.8zb" date="20140806">
827 A flaw in OBJ_obj2txt may cause pretty printing functions such as
828 X509_name_oneline, X509_name_print_ex, to leak some information from the
829 stack. Applications may be affected if they echo pretty printing output to the
830 attacker. OpenSSL SSL/TLS clients and servers themselves are not affected.
832 <advisory url="http://www.openssl.org/news/secadv_20140806.txt"/>
833 <reported source="Ivan Fratric (Google)"/>
836 <issue public="20140806">
837 <cve name="2014-5139"/>
839 A crash was found affecting SRP ciphersuites used in a Server Hello message.
840 The issue affects OpenSSL clients and allows a malicious server to crash
841 the client with a null pointer dereference (read) by specifying an SRP
842 ciphersuite even though it was not properly negotiated with the client. This
843 could lead to a Denial of Service.
845 <affects base="1.0.1" version="1.0.1"/>
846 <affects base="1.0.1" version="1.0.1a"/>
847 <affects base="1.0.1" version="1.0.1b"/>
848 <affects base="1.0.1" version="1.0.1c"/>
849 <affects base="1.0.1" version="1.0.1d"/>
850 <affects base="1.0.1" version="1.0.1e"/>
851 <affects base="1.0.1" version="1.0.1f"/>
852 <affects base="1.0.1" version="1.0.1g"/>
853 <affects base="1.0.1" version="1.0.1h"/>
854 <fixed base="1.0.1" version="1.0.1i" date="20140806">
856 <advisory url="http://www.openssl.org/news/secadv_20140806.txt"/>
857 <reported source="Joonas Kuorilehto and Riku Hietamäki (Codenomicon)"/>
860 <issue public="20140806">
861 <cve name="2014-3509"/>
862 <description>A race condition was found in ssl_parse_serverhello_tlsext.
863 If a multithreaded client connects to a malicious server using a resumed session
864 and the server sends an ec point format extension, it could write up to 255 bytes
865 to freed memory.</description>
866 <affects base="1.0.0" version="1.0.0"/>
867 <affects base="1.0.0" version="1.0.0a"/>
868 <affects base="1.0.0" version="1.0.0b"/>
869 <affects base="1.0.0" version="1.0.0c"/>
870 <affects base="1.0.0" version="1.0.0d"/>
871 <affects base="1.0.0" version="1.0.0e"/>
872 <affects base="1.0.0" version="1.0.0f"/>
873 <affects base="1.0.0" version="1.0.0g"/>
874 <affects base="1.0.0" version="1.0.0i"/>
875 <affects base="1.0.0" version="1.0.0j"/>
876 <affects base="1.0.0" version="1.0.0k"/>
877 <affects base="1.0.0" version="1.0.0l"/>
878 <affects base="1.0.0" version="1.0.0m"/>
879 <affects base="1.0.1" version="1.0.1"/>
880 <affects base="1.0.1" version="1.0.1a"/>
881 <affects base="1.0.1" version="1.0.1b"/>
882 <affects base="1.0.1" version="1.0.1c"/>
883 <affects base="1.0.1" version="1.0.1d"/>
884 <affects base="1.0.1" version="1.0.1e"/>
885 <affects base="1.0.1" version="1.0.1f"/>
886 <affects base="1.0.1" version="1.0.1g"/>
887 <affects base="1.0.1" version="1.0.1h"/>
888 <fixed base="1.0.1" version="1.0.1i" date="20140806">
890 <fixed base="1.0.0" version="1.0.0n" date="20140806">
892 <reported source="Gabor Tyukasz (LogMeIn Inc)"/>
893 <advisory url="http://www.openssl.org/news/secadv_20140806.txt"/>
896 <issue public="20140806">
897 <cve name="2014-3505"/>
898 <affects base="0.9.8" version="0.9.8m"/>
899 <affects base="0.9.8" version="0.9.8n"/>
900 <affects base="0.9.8" version="0.9.8o"/>
901 <affects base="0.9.8" version="0.9.8p"/>
902 <affects base="0.9.8" version="0.9.8q"/>
903 <affects base="0.9.8" version="0.9.8r"/>
904 <affects base="0.9.8" version="0.9.8s"/>
905 <affects base="0.9.8" version="0.9.8t"/>
906 <affects base="0.9.8" version="0.9.8u"/>
907 <affects base="0.9.8" version="0.9.8v"/>
908 <affects base="0.9.8" version="0.9.8w"/>
909 <affects base="0.9.8" version="0.9.8x"/>
910 <affects base="0.9.8" version="0.9.8y"/>
911 <affects base="0.9.8" version="0.9.8za"/>
912 <affects base="1.0.0" version="1.0.0"/>
913 <affects base="1.0.0" version="1.0.0a"/>
914 <affects base="1.0.0" version="1.0.0b"/>
915 <affects base="1.0.0" version="1.0.0c"/>
916 <affects base="1.0.0" version="1.0.0d"/>
917 <affects base="1.0.0" version="1.0.0e"/>
918 <affects base="1.0.0" version="1.0.0f"/>
919 <affects base="1.0.0" version="1.0.0g"/>
920 <affects base="1.0.0" version="1.0.0i"/>
921 <affects base="1.0.0" version="1.0.0j"/>
922 <affects base="1.0.0" version="1.0.0k"/>
923 <affects base="1.0.0" version="1.0.0l"/>
924 <affects base="1.0.0" version="1.0.0m"/>
925 <affects base="1.0.1" version="1.0.1"/>
926 <affects base="1.0.1" version="1.0.1a"/>
927 <affects base="1.0.1" version="1.0.1b"/>
928 <affects base="1.0.1" version="1.0.1c"/>
929 <affects base="1.0.1" version="1.0.1d"/>
930 <affects base="1.0.1" version="1.0.1e"/>
931 <affects base="1.0.1" version="1.0.1f"/>
932 <affects base="1.0.1" version="1.0.1g"/>
933 <affects base="1.0.1" version="1.0.1h"/>
934 <fixed base="1.0.1" version="1.0.1i" date="20140806">
936 <fixed base="1.0.0" version="1.0.0n" date="20140806">
938 <fixed base="0.9.8" version="0.9.8zb" date="20140806">
941 A Double Free was found when processing DTLS packets.
942 An attacker can force an error condition which causes openssl to crash whilst
943 processing DTLS packets due to memory being freed twice. This could lead to a
944 Denial of Service attack.
946 <reported source="Adam Langley and Wan-Teh Chang (Google)"/>
947 <advisory url="http://www.openssl.org/news/secadv_20140806.txt"/>
950 <issue public="20140806">
951 <cve name="2014-3506"/>
952 <affects base="0.9.8" version="0.9.8"/>
953 <affects base="0.9.8" version="0.9.8a"/>
954 <affects base="0.9.8" version="0.9.8b"/>
955 <affects base="0.9.8" version="0.9.8c"/>
956 <affects base="0.9.8" version="0.9.8d"/>
957 <affects base="0.9.8" version="0.9.8e"/>
958 <affects base="0.9.8" version="0.9.8f"/>
959 <affects base="0.9.8" version="0.9.8g"/>
960 <affects base="0.9.8" version="0.9.8h"/>
961 <affects base="0.9.8" version="0.9.8i"/>
962 <affects base="0.9.8" version="0.9.8j"/>
963 <affects base="0.9.8" version="0.9.8k"/>
964 <affects base="0.9.8" version="0.9.8l"/>
965 <affects base="0.9.8" version="0.9.8m"/>
966 <affects base="0.9.8" version="0.9.8n"/>
967 <affects base="0.9.8" version="0.9.8o"/>
968 <affects base="0.9.8" version="0.9.8p"/>
969 <affects base="0.9.8" version="0.9.8q"/>
970 <affects base="0.9.8" version="0.9.8r"/>
971 <affects base="0.9.8" version="0.9.8s"/>
972 <affects base="0.9.8" version="0.9.8t"/>
973 <affects base="0.9.8" version="0.9.8u"/>
974 <affects base="0.9.8" version="0.9.8v"/>
975 <affects base="0.9.8" version="0.9.8w"/>
976 <affects base="0.9.8" version="0.9.8x"/>
977 <affects base="0.9.8" version="0.9.8y"/>
978 <affects base="0.9.8" version="0.9.8za"/>
979 <affects base="1.0.0" version="1.0.0"/>
980 <affects base="1.0.0" version="1.0.0a"/>
981 <affects base="1.0.0" version="1.0.0b"/>
982 <affects base="1.0.0" version="1.0.0c"/>
983 <affects base="1.0.0" version="1.0.0d"/>
984 <affects base="1.0.0" version="1.0.0e"/>
985 <affects base="1.0.0" version="1.0.0f"/>
986 <affects base="1.0.0" version="1.0.0g"/>
987 <affects base="1.0.0" version="1.0.0i"/>
988 <affects base="1.0.0" version="1.0.0j"/>
989 <affects base="1.0.0" version="1.0.0k"/>
990 <affects base="1.0.0" version="1.0.0l"/>
991 <affects base="1.0.0" version="1.0.0m"/>
992 <affects base="1.0.1" version="1.0.1"/>
993 <affects base="1.0.1" version="1.0.1a"/>
994 <affects base="1.0.1" version="1.0.1b"/>
995 <affects base="1.0.1" version="1.0.1c"/>
996 <affects base="1.0.1" version="1.0.1d"/>
997 <affects base="1.0.1" version="1.0.1e"/>
998 <affects base="1.0.1" version="1.0.1f"/>
999 <affects base="1.0.1" version="1.0.1g"/>
1000 <affects base="1.0.1" version="1.0.1h"/>
1001 <fixed base="1.0.1" version="1.0.1i" date="20140806">
1003 <fixed base="1.0.0" version="1.0.0n" date="20140806">
1005 <fixed base="0.9.8" version="0.9.8zb" date="20140806">
1008 A DTLS flaw leading to memory exhaustion was found.
1009 An attacker can force openssl to consume large amounts of memory whilst
1010 processing DTLS handshake messages. This could lead to a Denial of
1013 <reported source="Adam Langley (Google)"/>
1014 <advisory url="http://www.openssl.org/news/secadv_20140806.txt"/>
1017 <issue public="20140806">
1018 <cve name="2014-3507"/>
1019 <affects base="0.9.8" version="0.9.8o"/>
1020 <affects base="0.9.8" version="0.9.8p"/>
1021 <affects base="0.9.8" version="0.9.8q"/>
1022 <affects base="0.9.8" version="0.9.8r"/>
1023 <affects base="0.9.8" version="0.9.8s"/>
1024 <affects base="0.9.8" version="0.9.8t"/>
1025 <affects base="0.9.8" version="0.9.8u"/>
1026 <affects base="0.9.8" version="0.9.8v"/>
1027 <affects base="0.9.8" version="0.9.8w"/>
1028 <affects base="0.9.8" version="0.9.8x"/>
1029 <affects base="0.9.8" version="0.9.8y"/>
1030 <affects base="0.9.8" version="0.9.8za"/>
1031 <affects base="1.0.0" version="1.0.0a"/>
1032 <affects base="1.0.0" version="1.0.0b"/>
1033 <affects base="1.0.0" version="1.0.0c"/>
1034 <affects base="1.0.0" version="1.0.0d"/>
1035 <affects base="1.0.0" version="1.0.0e"/>
1036 <affects base="1.0.0" version="1.0.0f"/>
1037 <affects base="1.0.0" version="1.0.0g"/>
1038 <affects base="1.0.0" version="1.0.0i"/>
1039 <affects base="1.0.0" version="1.0.0j"/>
1040 <affects base="1.0.0" version="1.0.0k"/>
1041 <affects base="1.0.0" version="1.0.0l"/>
1042 <affects base="1.0.0" version="1.0.0m"/>
1043 <affects base="1.0.1" version="1.0.1"/>
1044 <affects base="1.0.1" version="1.0.1a"/>
1045 <affects base="1.0.1" version="1.0.1b"/>
1046 <affects base="1.0.1" version="1.0.1c"/>
1047 <affects base="1.0.1" version="1.0.1d"/>
1048 <affects base="1.0.1" version="1.0.1e"/>
1049 <affects base="1.0.1" version="1.0.1f"/>
1050 <affects base="1.0.1" version="1.0.1g"/>
1051 <affects base="1.0.1" version="1.0.1h"/>
1052 <fixed base="1.0.1" version="1.0.1i" date="20140806">
1054 <fixed base="1.0.0" version="1.0.0n" date="20140806">
1056 <fixed base="0.9.8" version="0.9.8zb" date="20140806">
1059 A DTLS memory leak from zero-length fragments was found.
1060 By sending carefully crafted DTLS packets an attacker could cause OpenSSL to
1061 leak memory. This could lead to a Denial of Service attack.
1063 <reported source="Adam Langley (Google)"/>
1064 <advisory url="http://www.openssl.org/news/secadv_20140806.txt"/>
1067 <issue public="20140806">
1068 <cve name="2014-3510"/>
1069 <affects base="0.9.8" version="0.9.8"/>
1070 <affects base="0.9.8" version="0.9.8a"/>
1071 <affects base="0.9.8" version="0.9.8b"/>
1072 <affects base="0.9.8" version="0.9.8c"/>
1073 <affects base="0.9.8" version="0.9.8d"/>
1074 <affects base="0.9.8" version="0.9.8e"/>
1075 <affects base="0.9.8" version="0.9.8f"/>
1076 <affects base="0.9.8" version="0.9.8g"/>
1077 <affects base="0.9.8" version="0.9.8h"/>
1078 <affects base="0.9.8" version="0.9.8i"/>
1079 <affects base="0.9.8" version="0.9.8j"/>
1080 <affects base="0.9.8" version="0.9.8k"/>
1081 <affects base="0.9.8" version="0.9.8l"/>
1082 <affects base="0.9.8" version="0.9.8m"/>
1083 <affects base="0.9.8" version="0.9.8n"/>
1084 <affects base="0.9.8" version="0.9.8o"/>
1085 <affects base="0.9.8" version="0.9.8p"/>
1086 <affects base="0.9.8" version="0.9.8q"/>
1087 <affects base="0.9.8" version="0.9.8r"/>
1088 <affects base="0.9.8" version="0.9.8s"/>
1089 <affects base="0.9.8" version="0.9.8t"/>
1090 <affects base="0.9.8" version="0.9.8u"/>
1091 <affects base="0.9.8" version="0.9.8v"/>
1092 <affects base="0.9.8" version="0.9.8w"/>
1093 <affects base="0.9.8" version="0.9.8x"/>
1094 <affects base="0.9.8" version="0.9.8y"/>
1095 <affects base="0.9.8" version="0.9.8za"/>
1096 <affects base="1.0.0" version="1.0.0"/>
1097 <affects base="1.0.0" version="1.0.0a"/>
1098 <affects base="1.0.0" version="1.0.0b"/>
1099 <affects base="1.0.0" version="1.0.0c"/>
1100 <affects base="1.0.0" version="1.0.0d"/>
1101 <affects base="1.0.0" version="1.0.0e"/>
1102 <affects base="1.0.0" version="1.0.0f"/>
1103 <affects base="1.0.0" version="1.0.0g"/>
1104 <affects base="1.0.0" version="1.0.0i"/>
1105 <affects base="1.0.0" version="1.0.0j"/>
1106 <affects base="1.0.0" version="1.0.0k"/>
1107 <affects base="1.0.0" version="1.0.0l"/>
1108 <affects base="1.0.0" version="1.0.0m"/>
1109 <affects base="1.0.1" version="1.0.1"/>
1110 <affects base="1.0.1" version="1.0.1a"/>
1111 <affects base="1.0.1" version="1.0.1b"/>
1112 <affects base="1.0.1" version="1.0.1c"/>
1113 <affects base="1.0.1" version="1.0.1d"/>
1114 <affects base="1.0.1" version="1.0.1e"/>
1115 <affects base="1.0.1" version="1.0.1f"/>
1116 <affects base="1.0.1" version="1.0.1g"/>
1117 <affects base="1.0.1" version="1.0.1h"/>
1118 <fixed base="1.0.1" version="1.0.1i" date="20140806">
1120 <fixed base="1.0.0" version="1.0.0n" date="20140806">
1122 <fixed base="0.9.8" version="0.9.8zb" date="20140806">
1125 A flaw in handling DTLS anonymous EC(DH) ciphersuites was found.
1126 OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject to a
1127 denial of service attack. A malicious server can crash the client with a null
1128 pointer dereference (read) by specifying an anonymous (EC)DH ciphersuite and
1129 sending carefully crafted handshake messages.
1131 <reported source="Felix Gröbert (Google)"/>
1132 <advisory url="http://www.openssl.org/news/secadv_20140806.txt"/>
1135 <issue public="20140806">
1136 <cve name="2014-3511"/>
1137 <affects base="1.0.1" version="1.0.1"/>
1138 <affects base="1.0.1" version="1.0.1a"/>
1139 <affects base="1.0.1" version="1.0.1b"/>
1140 <affects base="1.0.1" version="1.0.1c"/>
1141 <affects base="1.0.1" version="1.0.1d"/>
1142 <affects base="1.0.1" version="1.0.1e"/>
1143 <affects base="1.0.1" version="1.0.1f"/>
1144 <affects base="1.0.1" version="1.0.1g"/>
1145 <affects base="1.0.1" version="1.0.1h"/>
1146 <fixed base="1.0.1" version="1.0.1i" date="20140806">
1149 A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate
1150 TLS 1.0 instead of higher protocol versions when the ClientHello message is
1151 badly fragmented. This allows a man-in-the-middle attacker to force a
1152 downgrade to TLS 1.0 even if both the server and the client support a higher
1153 protocol version, by modifying the client's TLS records.
1155 <reported source="David Benjamin and Adam Langley (Google)"/>
1156 <advisory url="http://www.openssl.org/news/secadv_20140806.txt"/>
1159 <issue public="20140806">
1160 <cve name="2014-3512"/>
1161 <affects base="1.0.1" version="1.0.1"/>
1162 <affects base="1.0.1" version="1.0.1a"/>
1163 <affects base="1.0.1" version="1.0.1b"/>
1164 <affects base="1.0.1" version="1.0.1c"/>
1165 <affects base="1.0.1" version="1.0.1d"/>
1166 <affects base="1.0.1" version="1.0.1e"/>
1167 <affects base="1.0.1" version="1.0.1f"/>
1168 <affects base="1.0.1" version="1.0.1g"/>
1169 <affects base="1.0.1" version="1.0.1h"/>
1170 <fixed base="1.0.1" version="1.0.1i" date="20140806">
1173 A SRP buffer overrun was found.
1174 A malicious client or server can send invalid SRP parameters and overrun
1175 an internal buffer. Only applications which are explicitly set up for SRP
1178 <reported source="Sean Devlin and Watson Ladd (Cryptography Services, NCC Group)"/>
1179 <advisory url="http://www.openssl.org/news/secadv_20140806.txt"/>
1182 <issue public="20020730">
1183 <cve name="2002-0655"/>
1184 <affects base="0.9.6" version="0.9.6"/>
1185 <affects base="0.9.6" version="0.9.6a"/>
1186 <affects base="0.9.6" version="0.9.6b"/>
1187 <affects base="0.9.6" version="0.9.6c"/>
1188 <affects base="0.9.6" version="0.9.6d"/>
1189 <fixed base="0.9.6" version="0.9.6e" date="20020730"/>
1190 <advisory url="http://www.openssl.org/news/secadv_20020730.txt"/>
1191 <reported source="OpenSSL Group (A.L. Digital)"/>
1193 Inproper handling of ASCII representations of integers on
1194 64 bit platforms allowed remote attackers to cause a denial of
1195 service or possibly execute arbitrary code.
1199 <issue public="20020730">
1200 <cve name="2002-0656"/>
1201 <affects base="0.9.6" version="0.9.6"/>
1202 <affects base="0.9.6" version="0.9.6a"/>
1203 <affects base="0.9.6" version="0.9.6b"/>
1204 <affects base="0.9.6" version="0.9.6c"/>
1205 <affects base="0.9.6" version="0.9.6d"/>
1206 <fixed base="0.9.6" version="0.9.6e" date="20020730"/>
1207 <advisory url="http://www.openssl.org/news/secadv_20020730.txt"/>
1208 <reported source="OpenSSL Group (A.L. Digital)"/>
1210 A buffer overflow allowed remote attackers to execute
1211 arbitrary code by sending a large client master key in SSL2 or a
1212 large session ID in SSL3.
1216 <issue public="20020730">
1217 <cve name="2002-0657"/>
1218 <advisory url="http://www.openssl.org/news/secadv_20020730.txt"/>
1219 <reported source="OpenSSL Group (A.L. Digital)"/>
1221 A buffer overflow when Kerberos is enabled allowed attackers
1222 to execute arbitrary code by sending a long master key. Note that this
1223 flaw did not affect any released version of 0.9.6 or 0.9.7
1227 <issue public="20020730">
1228 <cve name="2002-0659"/>
1229 <affects base="0.9.6" version="0.9.6a"/>
1230 <affects base="0.9.6" version="0.9.6b"/>
1231 <affects base="0.9.6" version="0.9.6c"/>
1232 <affects base="0.9.6" version="0.9.6d"/>
1233 <fixed base="0.9.6" version="0.9.6e" date="20020730"/>
1235 A flaw in the ASN1 library allowed remote attackers to cause a denial of
1236 service by sending invalid encodings.
1241 <cve name="2002-1568"/>
1242 <affects base="0.9.6" version="0.9.6e"/>
1243 <fixed base="0.9.6" version="0.9.6f" date="20020808"/>
1245 The use of assertions when detecting buffer overflow attacks
1246 allowed remote attackers to cause a denial of service (crash) by
1247 sending certain messages to cause
1248 OpenSSL to abort from a failed assertion, as demonstrated using SSLv2
1249 CLIENT_MASTER_KEY messages, which were not properly handled in
1254 <issue public="20030219">
1255 <cve name="2003-0078"/>
1256 <affects base="0.9.7" version="0.9.7"/>
1257 <affects base="0.9.6" version="0.9.6"/>
1258 <affects base="0.9.6" version="0.9.6a"/>
1259 <affects base="0.9.6" version="0.9.6b"/>
1260 <affects base="0.9.6" version="0.9.6c"/>
1261 <affects base="0.9.6" version="0.9.6d"/>
1262 <affects base="0.9.6" version="0.9.6e"/>
1263 <affects base="0.9.6" version="0.9.6f"/>
1264 <affects base="0.9.6" version="0.9.6g"/>
1265 <affects base="0.9.6" version="0.9.6h"/>
1266 <fixed base="0.9.7" version="0.9.7a" date="20030219"/>
1267 <fixed base="0.9.6" version="0.9.6i" date="20030219"/>
1268 <advisory url="http://www.openssl.org/news/secadv_20030219.txt"/>
1270 sl3_get_record in s3_pkt.c did not perform a MAC computation if an
1271 incorrect block cipher padding was used, causing an information leak
1272 (timing discrepancy) that may make it easier to launch cryptographic
1273 attacks that rely on distinguishing between padding and MAC
1274 verification errors, possibly leading to extraction of the original
1275 plaintext, aka the "Vaudenay timing attack."
1279 <issue public="20030319">
1280 <cve name="2003-0131"/>
1281 <affects base="0.9.6" version="0.9.6"/>
1282 <affects base="0.9.6" version="0.9.6a"/>
1283 <affects base="0.9.6" version="0.9.6b"/>
1284 <affects base="0.9.6" version="0.9.6c"/>
1285 <affects base="0.9.6" version="0.9.6d"/>
1286 <affects base="0.9.6" version="0.9.6e"/>
1287 <affects base="0.9.6" version="0.9.6f"/>
1288 <affects base="0.9.6" version="0.9.6g"/>
1289 <affects base="0.9.6" version="0.9.6h"/>
1290 <affects base="0.9.6" version="0.9.6i"/>
1291 <affects base="0.9.7" version="0.9.7"/>
1292 <affects base="0.9.7" version="0.9.7a"/>
1293 <fixed base="0.9.6" version="0.9.6j" date="20030410"/>
1294 <fixed base="0.9.7" version="0.9.7b" date="20030410"/>
1295 <advisory url="http://www.openssl.org/news/secadv_20030319.txt"/>
1297 The SSL and TLS components allowed remote attackers to perform an
1298 unauthorized RSA private key operation via a modified Bleichenbacher
1299 attack that uses a large number of SSL or TLS connections using PKCS #1
1300 v1.5 padding that caused OpenSSL to leak information regarding the
1301 relationship between ciphertext and the associated plaintext, aka the
1302 "Klima-Pokorny-Rosa attack"
1306 <issue public="20030314">
1307 <cve name="2003-0147"/>
1308 <affects base="0.9.6" version="0.9.6"/>
1309 <affects base="0.9.6" version="0.9.6a"/>
1310 <affects base="0.9.6" version="0.9.6b"/>
1311 <affects base="0.9.6" version="0.9.6c"/>
1312 <affects base="0.9.6" version="0.9.6d"/>
1313 <affects base="0.9.6" version="0.9.6e"/>
1314 <affects base="0.9.6" version="0.9.6f"/>
1315 <affects base="0.9.6" version="0.9.6g"/>
1316 <affects base="0.9.6" version="0.9.6h"/>
1317 <affects base="0.9.6" version="0.9.6i"/>
1318 <affects base="0.9.7" version="0.9.7"/>
1319 <affects base="0.9.7" version="0.9.7a"/>
1320 <advisory url="http://www.openssl.org/news/secadv_20030317.txt"/>
1321 <fixed base="0.9.7" version="0.9.7b" date="20030410"/>
1322 <fixed base="0.9.6" version="0.9.6j" date="20030410"/>
1324 RSA blinding was not enabled by default, which could allow local and
1325 remote attackers to obtain a server's private key by determining
1326 factors using timing differences on (1) the number of extra reductions
1327 during Montgomery reduction, and (2) the use of different integer
1328 multiplication algorithms ("Karatsuba" and normal).
1332 <issue public="20030930">
1333 <cve name="2003-0543"/>
1334 <affects base="0.9.6" version="0.9.6"/>
1335 <affects base="0.9.6" version="0.9.6a"/>
1336 <affects base="0.9.6" version="0.9.6b"/>
1337 <affects base="0.9.6" version="0.9.6c"/>
1338 <affects base="0.9.6" version="0.9.6d"/>
1339 <affects base="0.9.6" version="0.9.6e"/>
1340 <affects base="0.9.6" version="0.9.6f"/>
1341 <affects base="0.9.6" version="0.9.6g"/>
1342 <affects base="0.9.6" version="0.9.6h"/>
1343 <affects base="0.9.6" version="0.9.6i"/>
1344 <affects base="0.9.6" version="0.9.6j"/>
1345 <affects base="0.9.7" version="0.9.7"/>
1346 <affects base="0.9.7" version="0.9.7a"/>
1347 <affects base="0.9.7" version="0.9.7b"/>
1348 <fixed base="0.9.7" version="0.9.7c" date="20030930"/>
1349 <fixed base="0.9.6" version="0.9.6k" date="20030930"/>
1350 <advisory url="http://www.openssl.org/news/secadv_20030930.txt"/>
1351 <reported source="NISCC"/>
1353 An integer overflow could allow remote attackers to cause a denial of
1354 service (crash) via an SSL client certificate with certain ASN.1 tag
1359 <issue public="20030930">
1360 <cve name="2003-0544"/>
1361 <affects base="0.9.7" version="0.9.7"/>
1362 <affects base="0.9.7" version="0.9.7a"/>
1363 <affects base="0.9.7" version="0.9.7b"/>
1364 <affects base="0.9.6" version="0.9.6"/>
1365 <affects base="0.9.6" version="0.9.6a"/>
1366 <affects base="0.9.6" version="0.9.6b"/>
1367 <affects base="0.9.6" version="0.9.6c"/>
1368 <affects base="0.9.6" version="0.9.6d"/>
1369 <affects base="0.9.6" version="0.9.6e"/>
1370 <affects base="0.9.6" version="0.9.6f"/>
1371 <affects base="0.9.6" version="0.9.6g"/>
1372 <affects base="0.9.6" version="0.9.6h"/>
1373 <affects base="0.9.6" version="0.9.6i"/>
1374 <affects base="0.9.6" version="0.9.6j"/>
1375 <fixed base="0.9.6" version="0.9.6k" date="20030930"/>
1376 <fixed base="0.9.7" version="0.9.7c" date="20030930"/>
1377 <advisory url="http://www.openssl.org/news/secadv_20030930.txt"/>
1378 <reported source="NISCC"/>
1380 Incorrect tracking of the number of characters in certain
1381 ASN.1 inputs could allow remote attackers to cause a denial of
1382 service (crash) by sending an SSL client certificate that causes OpenSSL to
1383 read past the end of a buffer when the long form is used.
1387 <issue public="20030930">
1388 <cve name="2003-0545"/>
1389 <affects base="0.9.7" version="0.9.7"/>
1390 <affects base="0.9.7" version="0.9.7a"/>
1391 <affects base="0.9.7" version="0.9.7b"/>
1392 <fixed base="0.9.7" version="0.9.7c" date="20030930"/>
1393 <advisory url="http://www.openssl.org/news/secadv_20030930.txt"/>
1394 <reported source="NISCC"/>
1396 Certain ASN.1 encodings that were rejected as invalid by the parser could
1397 trigger a bug in the deallocation of the corresponding data structure,
1398 corrupting the stack, leading to a crash.
1402 <issue public="20031104">
1403 <cve name="2003-0851"/>
1404 <affects base="0.9.6" version="0.9.6k"/>
1405 <fixed base="0.9.6" version="0.9.6l" date="20031104"/>
1406 <advisory url="http://www.openssl.org/news/secadv_20031104.txt"/>
1407 <reported source="Novell"/>
1409 A flaw in OpenSSL 0.9.6k (only) would cause certain ASN.1 sequences to
1410 trigger a large recursion. On platforms such as Windows this large
1411 recursion cannot be handled correctly and so the bug causes OpenSSL to
1412 crash. A remote attacker could exploit this flaw if they can send
1413 arbitrary ASN.1 sequences which would cause OpenSSL to crash. This
1414 could be performed for example by sending a client certificate to a
1415 SSL/TLS enabled server which is configured to accept them.
1419 <issue public="20040317">
1420 <cve name="2004-0079"/>
1421 <affects base="0.9.6" version="0.9.6c"/>
1422 <affects base="0.9.6" version="0.9.6d"/>
1423 <affects base="0.9.6" version="0.9.6e"/>
1424 <affects base="0.9.6" version="0.9.6f"/>
1425 <affects base="0.9.6" version="0.9.6g"/>
1426 <affects base="0.9.6" version="0.9.6h"/>
1427 <affects base="0.9.6" version="0.9.6i"/>
1428 <affects base="0.9.6" version="0.9.6j"/>
1429 <affects base="0.9.6" version="0.9.6k"/>
1430 <affects base="0.9.6" version="0.9.6l"/>
1431 <affects base="0.9.7" version="0.9.7"/>
1432 <affects base="0.9.7" version="0.9.7a"/>
1433 <affects base="0.9.7" version="0.9.7b"/>
1434 <affects base="0.9.7" version="0.9.7c"/>
1435 <fixed base="0.9.7" version="0.9.7d" date="20040317"/>
1436 <fixed base="0.9.6" version="0.9.6m" date="20040317"/>
1437 <advisory url="http://www.openssl.org/news/secadv_20040317.txt"/>
1438 <reported source="OpenSSL group"/>
1440 The Codenomicon TLS Test Tool uncovered a null-pointer assignment in the
1441 do_change_cipher_spec() function. A remote attacker could perform a
1442 carefully crafted SSL/TLS handshake against a server that used the
1443 OpenSSL library in such a way as to cause a crash.
1447 <issue public="20040317">
1448 <cve name="2004-0081"/>
1449 <affects base="0.9.6" version="0.9.6"/>
1450 <affects base="0.9.6" version="0.9.6a"/>
1451 <affects base="0.9.6" version="0.9.6b"/>
1452 <affects base="0.9.6" version="0.9.6c"/>
1453 <advisory url="http://www.openssl.org/news/secadv_20030317.txt"/>
1454 <reported source="OpenSSL group"/>
1456 The Codenomicon TLS Test Tool found that some unknown message types
1457 were handled incorrectly, allowing a remote attacker to cause a denial
1458 of service (infinite loop).
1462 <issue public="20040317">
1463 <cve name="2004-0112"/>
1464 <affects base="0.9.7" version="0.9.7a"/>
1465 <affects base="0.9.7" version="0.9.7b"/>
1466 <affects base="0.9.7" version="0.9.7c"/>
1467 <fixed base="0.9.7" version="0.9.7d" date="20040317"/>
1468 <reported source="OpenSSL group (Stephen Henson)"/>
1469 <advisory url="http://www.openssl.org/news/secadv_20040317.txt"/>
1471 A flaw in SSL/TLS handshaking code when using Kerberos ciphersuites.
1472 A remote attacker could perform a carefully crafted SSL/TLS handshake
1473 against a server configured to use Kerberos ciphersuites in such a way
1474 as to cause OpenSSL to crash. Most applications have no ability to
1475 use Kerberos ciphersuites and will therefore be unaffected.
1479 <issue public="20040930">
1480 <cve name="2004-0975"/>
1481 <affects base="0.9.7" version="0.9.7"/>
1482 <affects base="0.9.7" version="0.9.7a"/>
1483 <affects base="0.9.7" version="0.9.7b"/>
1484 <affects base="0.9.7" version="0.9.7c"/>
1485 <affects base="0.9.7" version="0.9.7d"/>
1486 <affects base="0.9.7" version="0.9.7e"/>
1487 <affects base="0.9.6" version="0.9.6"/>
1488 <affects base="0.9.6" version="0.9.6a"/>
1489 <affects base="0.9.6" version="0.9.6b"/>
1490 <affects base="0.9.6" version="0.9.6c"/>
1491 <affects base="0.9.6" version="0.9.6d"/>
1492 <affects base="0.9.6" version="0.9.6e"/>
1493 <affects base="0.9.6" version="0.9.6f"/>
1494 <affects base="0.9.6" version="0.9.6g"/>
1495 <affects base="0.9.6" version="0.9.6h"/>
1496 <affects base="0.9.6" version="0.9.6i"/>
1497 <affects base="0.9.6" version="0.9.6j"/>
1498 <affects base="0.9.6" version="0.9.6k"/>
1499 <affects base="0.9.6" version="0.9.6l"/>
1500 <affects base="0.9.6" version="0.9.6m"/>
1501 <fixed base="0.9.7" version="0.9.7f" date="20050322"/>
1502 <fixed base="0.9.6" version="0.9.6-cvs" date="20041114"/>
1503 <!-- der_chop was removed 20041114 -->
1506 The der_chop script created temporary files insecurely which could
1507 allow local users to overwrite files via a symlink attack on temporary
1508 files. Note that it is quite unlikely that a user would be using the
1509 redundant der_chop script, and this script was removed from the OpenSSL
1514 <issue public="20051011">
1515 <cve name="2005-2969"/>
1516 <affects base="0.9.7" version="0.9.7"/>
1517 <affects base="0.9.7" version="0.9.7a"/>
1518 <affects base="0.9.7" version="0.9.7b"/>
1519 <affects base="0.9.7" version="0.9.7c"/>
1520 <affects base="0.9.7" version="0.9.7d"/>
1521 <affects base="0.9.7" version="0.9.7e"/>
1522 <affects base="0.9.7" version="0.9.7f"/>
1523 <affects base="0.9.7" version="0.9.7g"/>
1524 <affects base="0.9.8" version="0.9.8"/>
1525 <affects base="0.9.6" version="0.9.6"/>
1526 <affects base="0.9.6" version="0.9.6a"/>
1527 <affects base="0.9.6" version="0.9.6b"/>
1528 <affects base="0.9.6" version="0.9.6c"/>
1529 <affects base="0.9.6" version="0.9.6d"/>
1530 <affects base="0.9.6" version="0.9.6e"/>
1531 <affects base="0.9.6" version="0.9.6f"/>
1532 <affects base="0.9.6" version="0.9.6g"/>
1533 <affects base="0.9.6" version="0.9.6h"/>
1534 <affects base="0.9.6" version="0.9.6i"/>
1535 <affects base="0.9.6" version="0.9.6j"/>
1536 <affects base="0.9.6" version="0.9.6k"/>
1537 <affects base="0.9.6" version="0.9.6l"/>
1538 <affects base="0.9.6" version="0.9.6m"/>
1539 <fixed base="0.9.7" version="0.9.7h" date="20051011"/>
1540 <fixed base="0.9.8" version="0.9.8a" date="20051011"/>
1542 <advisory url="http://www.openssl.org/news/secadv_20051011.txt"/>
1543 <reported source="researcher"/>
1546 A deprecated option, SSL_OP_MISE_SSLV2_RSA_PADDING, could allow an
1547 attacker acting as a "man in the middle" to force a connection to
1548 downgrade to SSL 2.0 even if both parties support better protocols.
1552 <issue public="20060905">
1553 <cve name="2006-4339"/>
1554 <affects base="0.9.7" version="0.9.7"/>
1555 <affects base="0.9.7" version="0.9.7a"/>
1556 <affects base="0.9.7" version="0.9.7b"/>
1557 <affects base="0.9.7" version="0.9.7c"/>
1558 <affects base="0.9.7" version="0.9.7d"/>
1559 <affects base="0.9.7" version="0.9.7e"/>
1560 <affects base="0.9.7" version="0.9.7f"/>
1561 <affects base="0.9.7" version="0.9.7g"/>
1562 <affects base="0.9.7" version="0.9.7h"/>
1563 <affects base="0.9.7" version="0.9.7i"/>
1564 <affects base="0.9.7" version="0.9.7j"/>
1565 <affects base="0.9.8" version="0.9.8"/>
1566 <affects base="0.9.8" version="0.9.8a"/>
1567 <affects base="0.9.8" version="0.9.8b"/>
1568 <affects base="0.9.6" version="0.9.6"/>
1569 <affects base="0.9.6" version="0.9.6a"/>
1570 <affects base="0.9.6" version="0.9.6b"/>
1571 <affects base="0.9.6" version="0.9.6c"/>
1572 <affects base="0.9.6" version="0.9.6d"/>
1573 <affects base="0.9.6" version="0.9.6e"/>
1574 <affects base="0.9.6" version="0.9.6f"/>
1575 <affects base="0.9.6" version="0.9.6g"/>
1576 <affects base="0.9.6" version="0.9.6h"/>
1577 <affects base="0.9.6" version="0.9.6i"/>
1578 <affects base="0.9.6" version="0.9.6j"/>
1579 <affects base="0.9.6" version="0.9.6k"/>
1580 <affects base="0.9.6" version="0.9.6l"/>
1581 <affects base="0.9.6" version="0.9.6m"/>
1582 <fixed base="0.9.7" version="0.9.7k" date="20060905"/>
1583 <fixed base="0.9.8" version="0.9.8c" date="20060905"/>
1585 <advisory url="http://www.openssl.org/news/secadv_20060905.txt"/>
1586 <reported source="openssl"/>
1589 Daniel Bleichenbacher discovered an attack on PKCS #1 v1.5
1590 signatures where under certain circumstances it may be possible
1591 for an attacker to forge a PKCS #1 v1.5 signature that would be incorrectly
1592 verified by OpenSSL.
1596 <issue public="20060928">
1597 <cve name="2006-2937"/>
1598 <affects base="0.9.7" version="0.9.7"/>
1599 <affects base="0.9.7" version="0.9.7a"/>
1600 <affects base="0.9.7" version="0.9.7b"/>
1601 <affects base="0.9.7" version="0.9.7c"/>
1602 <affects base="0.9.7" version="0.9.7d"/>
1603 <affects base="0.9.7" version="0.9.7e"/>
1604 <affects base="0.9.7" version="0.9.7f"/>
1605 <affects base="0.9.7" version="0.9.7g"/>
1606 <affects base="0.9.7" version="0.9.7h"/>
1607 <affects base="0.9.7" version="0.9.7i"/>
1608 <affects base="0.9.7" version="0.9.7j"/>
1609 <affects base="0.9.7" version="0.9.7k"/>
1610 <affects base="0.9.8" version="0.9.8"/>
1611 <affects base="0.9.8" version="0.9.8a"/>
1612 <affects base="0.9.8" version="0.9.8b"/>
1613 <affects base="0.9.8" version="0.9.8c"/>
1614 <fixed base="0.9.7" version="0.9.7l" date="20060928"/>
1615 <fixed base="0.9.8" version="0.9.8d" date="20060928"/>
1617 <advisory url="http://www.openssl.org/news/secadv_20060928.txt"/>
1618 <reported source="openssl"/>
1621 During the parsing of certain invalid ASN.1 structures an error
1622 condition is mishandled. This can result in an infinite loop which
1623 consumes system memory
1627 <issue public="20060928">
1628 <cve name="2006-2940"/>
1629 <affects base="0.9.7" version="0.9.7"/>
1630 <affects base="0.9.7" version="0.9.7a"/>
1631 <affects base="0.9.7" version="0.9.7b"/>
1632 <affects base="0.9.7" version="0.9.7c"/>
1633 <affects base="0.9.7" version="0.9.7d"/>
1634 <affects base="0.9.7" version="0.9.7e"/>
1635 <affects base="0.9.7" version="0.9.7f"/>
1636 <affects base="0.9.7" version="0.9.7g"/>
1637 <affects base="0.9.7" version="0.9.7h"/>
1638 <affects base="0.9.7" version="0.9.7i"/>
1639 <affects base="0.9.7" version="0.9.7j"/>
1640 <affects base="0.9.7" version="0.9.7k"/>
1641 <affects base="0.9.8" version="0.9.8"/>
1642 <affects base="0.9.8" version="0.9.8a"/>
1643 <affects base="0.9.8" version="0.9.8b"/>
1644 <affects base="0.9.8" version="0.9.8c"/>
1645 <affects base="0.9.6" version="0.9.6"/>
1646 <affects base="0.9.6" version="0.9.6a"/>
1647 <affects base="0.9.6" version="0.9.6b"/>
1648 <affects base="0.9.6" version="0.9.6c"/>
1649 <affects base="0.9.6" version="0.9.6d"/>
1650 <affects base="0.9.6" version="0.9.6e"/>
1651 <affects base="0.9.6" version="0.9.6f"/>
1652 <affects base="0.9.6" version="0.9.6g"/>
1653 <affects base="0.9.6" version="0.9.6h"/>
1654 <affects base="0.9.6" version="0.9.6i"/>
1655 <affects base="0.9.6" version="0.9.6j"/>
1656 <affects base="0.9.6" version="0.9.6k"/>
1657 <affects base="0.9.6" version="0.9.6l"/>
1658 <affects base="0.9.6" version="0.9.6m"/>
1659 <fixed base="0.9.7" version="0.9.7l" date="20060928"/>
1660 <fixed base="0.9.8" version="0.9.8d" date="20060928"/>
1662 <advisory url="http://www.openssl.org/news/secadv_20060928.txt"/>
1663 <reported source="openssl"/>
1666 Certain types of public key can take disproportionate amounts of
1667 time to process. This could be used by an attacker in a denial of
1672 <issue public="20060928">
1673 <cve name="2006-3738"/>
1674 <affects base="0.9.7" version="0.9.7"/>
1675 <affects base="0.9.7" version="0.9.7a"/>
1676 <affects base="0.9.7" version="0.9.7b"/>
1677 <affects base="0.9.7" version="0.9.7c"/>
1678 <affects base="0.9.7" version="0.9.7d"/>
1679 <affects base="0.9.7" version="0.9.7e"/>
1680 <affects base="0.9.7" version="0.9.7f"/>
1681 <affects base="0.9.7" version="0.9.7g"/>
1682 <affects base="0.9.7" version="0.9.7h"/>
1683 <affects base="0.9.7" version="0.9.7i"/>
1684 <affects base="0.9.7" version="0.9.7j"/>
1685 <affects base="0.9.7" version="0.9.7k"/>
1686 <affects base="0.9.8" version="0.9.8"/>
1687 <affects base="0.9.8" version="0.9.8a"/>
1688 <affects base="0.9.8" version="0.9.8b"/>
1689 <affects base="0.9.8" version="0.9.8c"/>
1690 <affects base="0.9.6" version="0.9.6"/>
1691 <affects base="0.9.6" version="0.9.6a"/>
1692 <affects base="0.9.6" version="0.9.6b"/>
1693 <affects base="0.9.6" version="0.9.6c"/>
1694 <affects base="0.9.6" version="0.9.6d"/>
1695 <affects base="0.9.6" version="0.9.6e"/>
1696 <affects base="0.9.6" version="0.9.6f"/>
1697 <affects base="0.9.6" version="0.9.6g"/>
1698 <affects base="0.9.6" version="0.9.6h"/>
1699 <affects base="0.9.6" version="0.9.6i"/>
1700 <affects base="0.9.6" version="0.9.6j"/>
1701 <affects base="0.9.6" version="0.9.6k"/>
1702 <affects base="0.9.6" version="0.9.6l"/>
1703 <affects base="0.9.6" version="0.9.6m"/>
1704 <fixed base="0.9.7" version="0.9.7l" date="20060928"/>
1705 <fixed base="0.9.8" version="0.9.8d" date="20060928"/>
1707 <advisory url="http://www.openssl.org/news/secadv_20060928.txt"/>
1708 <reported source="openssl"/>
1711 A buffer overflow was discovered in the SSL_get_shared_ciphers()
1712 utility function. An attacker could send a list of ciphers to an
1713 application that uses this function and overrun a buffer.
1717 <issue public="20060928">
1718 <cve name="2006-4343"/>
1719 <affects base="0.9.7" version="0.9.7"/>
1720 <affects base="0.9.7" version="0.9.7a"/>
1721 <affects base="0.9.7" version="0.9.7b"/>
1722 <affects base="0.9.7" version="0.9.7c"/>
1723 <affects base="0.9.7" version="0.9.7d"/>
1724 <affects base="0.9.7" version="0.9.7e"/>
1725 <affects base="0.9.7" version="0.9.7f"/>
1726 <affects base="0.9.7" version="0.9.7g"/>
1727 <affects base="0.9.7" version="0.9.7h"/>
1728 <affects base="0.9.7" version="0.9.7i"/>
1729 <affects base="0.9.7" version="0.9.7j"/>
1730 <affects base="0.9.7" version="0.9.7k"/>
1731 <affects base="0.9.8" version="0.9.8"/>
1732 <affects base="0.9.8" version="0.9.8a"/>
1733 <affects base="0.9.8" version="0.9.8b"/>
1734 <affects base="0.9.8" version="0.9.8c"/>
1735 <affects base="0.9.6" version="0.9.6"/>
1736 <affects base="0.9.6" version="0.9.6a"/>
1737 <affects base="0.9.6" version="0.9.6b"/>
1738 <affects base="0.9.6" version="0.9.6c"/>
1739 <affects base="0.9.6" version="0.9.6d"/>
1740 <affects base="0.9.6" version="0.9.6e"/>
1741 <affects base="0.9.6" version="0.9.6f"/>
1742 <affects base="0.9.6" version="0.9.6g"/>
1743 <affects base="0.9.6" version="0.9.6h"/>
1744 <affects base="0.9.6" version="0.9.6i"/>
1745 <affects base="0.9.6" version="0.9.6j"/>
1746 <affects base="0.9.6" version="0.9.6k"/>
1747 <affects base="0.9.6" version="0.9.6l"/>
1748 <affects base="0.9.6" version="0.9.6m"/>
1749 <fixed base="0.9.7" version="0.9.7l" date="20060928"/>
1750 <fixed base="0.9.8" version="0.9.8d" date="20060928"/>
1752 <advisory url="http://www.openssl.org/news/secadv_20060928.txt"/>
1753 <reported source="openssl"/>
1756 A flaw in the SSLv2 client code was discovered. When a client
1757 application used OpenSSL to create an SSLv2 connection to a malicious
1758 server, that server could cause the client to crash.
1762 <issue public="20071012">
1763 <cve name="2007-4995"/>
1764 <affects base="0.9.8" version="0.9.8"/>
1765 <affects base="0.9.8" version="0.9.8a"/>
1766 <affects base="0.9.8" version="0.9.8b"/>
1767 <affects base="0.9.8" version="0.9.8c"/>
1768 <affects base="0.9.8" version="0.9.8d"/>
1769 <affects base="0.9.8" version="0.9.8e"/>
1770 <fixed base="0.9.8" version="0.9.8f" date="20071012"/>
1771 <advisory url="http://www.openssl.org/news/secadv_20071012.txt"/>
1772 <reported source="Andy Polyakov"/>
1775 A flaw in DTLS support. An attacker
1776 could create a malicious client or server that could trigger a heap
1777 overflow. This is possibly exploitable to run arbitrary code, but it has
1782 <issue public="20071012">
1783 <cve name="2007-5135"/>
1784 <affects base="0.9.8" version="0.9.8"/>
1785 <affects base="0.9.8" version="0.9.8a"/>
1786 <affects base="0.9.8" version="0.9.8b"/>
1787 <affects base="0.9.8" version="0.9.8c"/>
1788 <affects base="0.9.8" version="0.9.8d"/>
1789 <affects base="0.9.8" version="0.9.8e"/>
1790 <fixed base="0.9.8" version="0.9.8f" date="20071012"/>
1791 <advisory url="http://www.openssl.org/news/secadv_20071012.txt"/>
1792 <reported source="Moritz Jodeit"/>
1795 A flaw was found in the SSL_get_shared_ciphers() utility function. An
1796 attacker could send a list of ciphers to an application that used this
1797 function and overrun a buffer with a single byte. Few
1798 applications make use of this vulnerable function and generally it is used
1799 only when applications are compiled for debugging.
1803 <issue public="20071129">
1804 <cve name="2007-5502"/>
1805 <advisory url="http://www.openssl.org/news/secadv_20071129.txt"/>
1806 <reported source="Geoff Lowe"/>
1809 The PRNG implementation for the OpenSSL FIPS Object Module 1.1.1 does
1810 not perform auto-seeding during the FIPS self-test, which generates
1811 random data that is more predictable than expected and makes it easier
1812 for attackers to bypass protection mechanisms that rely on the
1817 <issue public="20080528">
1818 <cve name="2008-0891"/>
1819 <affects base="0.9.8" version="0.9.8f"/>
1820 <affects base="0.9.8" version="0.9.8g"/>
1821 <fixed base="0.9.8" version="0.9.8h" date="20080528"/>
1822 <advisory url="http://www.openssl.org/news/secadv_20080528.txt"/>
1823 <reported source="codenomicon"/>
1825 Testing using the Codenomicon TLS test suite discovered a flaw in the
1826 handling of server name extension data in OpenSSL 0.9.8f and OpenSSL
1827 0.9.8g. If OpenSSL has been compiled using the non-default TLS server
1828 name extensions, a remote attacker could send a carefully crafted
1829 packet to a server application using OpenSSL and cause it to crash.
1833 <issue public="20080528">
1834 <cve name="2008-1672"/>
1835 <affects base="0.9.8" version="0.9.8f"/>
1836 <affects base="0.9.8" version="0.9.8g"/>
1837 <fixed base="0.9.8" version="0.9.8h" date="20080528"/>
1838 <advisory url="http://www.openssl.org/news/secadv_20080528.txt"/>
1839 <reported source="codenomicon"/>
1841 Testing using the Codenomicon TLS test suite discovered a flaw if the
1842 'Server Key exchange message' is omitted from a TLS handshake in
1843 OpenSSL 0.9.8f and OpenSSL 0.9.8g. If a client connects to a
1844 malicious server with particular cipher suites, the server could cause
1845 the client to crash.
1849 <issue public="20090107">
1850 <cve name="2008-5077"/>
1851 <affects base="0.9.8" version="0.9.8"/>
1852 <affects base="0.9.8" version="0.9.8a"/>
1853 <affects base="0.9.8" version="0.9.8b"/>
1854 <affects base="0.9.8" version="0.9.8c"/>
1855 <affects base="0.9.8" version="0.9.8d"/>
1856 <affects base="0.9.8" version="0.9.8e"/>
1857 <affects base="0.9.8" version="0.9.8f"/>
1858 <affects base="0.9.8" version="0.9.8g"/>
1859 <affects base="0.9.8" version="0.9.8h"/>
1860 <affects base="0.9.8" version="0.9.8i"/>
1861 <fixed base="0.9.8" version="0.9.8j" date="20090107"/>
1862 <advisory url="http://www.openssl.org/news/secadv_20090107.txt"/>
1863 <reported source="google"/>
1866 The Google Security Team discovered several functions inside OpenSSL
1867 incorrectly checked the result after calling the EVP_VerifyFinal
1868 function, allowing a malformed signature to be treated as a good
1869 signature rather than as an error. This issue affected the signature
1870 checks on DSA and ECDSA keys used with SSL/TLS. One way to exploit
1871 this flaw would be for a remote attacker who is in control of a
1872 malicious server or who can use a 'man in the middle' attack to
1873 present a malformed SSL/TLS signature from a certificate chain to a
1874 vulnerable client, bypassing validation.
1878 <issue public="20090325">
1879 <cve name="2009-0590"/>
1880 <affects base="0.9.8" version="0.9.8"/>
1881 <affects base="0.9.8" version="0.9.8a"/>
1882 <affects base="0.9.8" version="0.9.8b"/>
1883 <affects base="0.9.8" version="0.9.8c"/>
1884 <affects base="0.9.8" version="0.9.8d"/>
1885 <affects base="0.9.8" version="0.9.8e"/>
1886 <affects base="0.9.8" version="0.9.8f"/>
1887 <affects base="0.9.8" version="0.9.8g"/>
1888 <affects base="0.9.8" version="0.9.8h"/>
1889 <affects base="0.9.8" version="0.9.8i"/>
1890 <affects base="0.9.8" version="0.9.8j"/>
1891 <fixed base="0.9.8" version="0.9.8k" date="20090325"/>
1892 <advisory url="http://www.openssl.org/news/secadv_20090325.txt"/>
1894 The function ASN1_STRING_print_ex() when used to print a BMPString or
1895 UniversalString will crash with an invalid memory access if the
1896 encoded length of the string is illegal. Any OpenSSL application
1897 which prints out the contents of a certificate could be affected by
1898 this bug, including SSL servers, clients and S/MIME software.
1902 <issue public="20090325">
1903 <cve name="2009-0591"/>
1904 <affects base="0.9.8" version="0.9.8h"/>
1905 <affects base="0.9.8" version="0.9.8i"/>
1906 <affects base="0.9.8" version="0.9.8j"/>
1907 <fixed base="0.9.8" version="0.9.8k" date="20090325"/>
1908 <advisory url="http://www.openssl.org/news/secadv_20090325.txt"/>
1909 <reported source="Ivan Nestlerode, IBM"/>
1911 The function CMS_verify() does not correctly handle an error condition
1912 involving malformed signed attributes. This will cause an invalid set
1913 of signed attributes to appear valid and content digests will not be
1918 <issue public="20090325">
1919 <cve name="2009-0789"/>
1920 <affects base="0.9.8" version="0.9.8"/>
1921 <affects base="0.9.8" version="0.9.8a"/>
1922 <affects base="0.9.8" version="0.9.8b"/>
1923 <affects base="0.9.8" version="0.9.8c"/>
1924 <affects base="0.9.8" version="0.9.8d"/>
1925 <affects base="0.9.8" version="0.9.8e"/>
1926 <affects base="0.9.8" version="0.9.8f"/>
1927 <affects base="0.9.8" version="0.9.8g"/>
1928 <affects base="0.9.8" version="0.9.8h"/>
1929 <affects base="0.9.8" version="0.9.8i"/>
1930 <affects base="0.9.8" version="0.9.8j"/>
1931 <fixed base="0.9.8" version="0.9.8k" date="20090325"/>
1932 <reported source="Paolo Ganci"/>
1933 <advisory url="http://www.openssl.org/news/secadv_20090325.txt"/>
1935 When a malformed ASN1 structure is received it's contents are freed up and
1936 zeroed and an error condition returned. On a small number of platforms where
1937 sizeof(long) < sizeof(void *) (for example WIN64) this can cause an invalid
1938 memory access later resulting in a crash when some invalid structures are
1939 read, for example RSA public keys.
1943 <issue public="20090602">
1944 <cve name="2009-1386"/>
1945 <affects base="0.9.8" version="0.9.8"/>
1946 <affects base="0.9.8" version="0.9.8a"/>
1947 <affects base="0.9.8" version="0.9.8b"/>
1948 <affects base="0.9.8" version="0.9.8c"/>
1949 <affects base="0.9.8" version="0.9.8d"/>
1950 <affects base="0.9.8" version="0.9.8e"/>
1951 <affects base="0.9.8" version="0.9.8f"/>
1952 <affects base="0.9.8" version="0.9.8g"/>
1953 <affects base="0.9.8" version="0.9.8h"/>
1954 <fixed base="0.9.8" version="0.9.8i" date="20080915"/>
1955 <reported source="Alex Lam"/>
1957 Fix a NULL pointer dereference if a DTLS server recieved
1958 ChangeCipherSpec as first record.
1959 A remote attacker could use this flaw to cause a DTLS server to crash
1963 <issue public="20091105">
1964 <cve name="2009-3555"/>
1965 <affects base="0.9.8" version="0.9.8"/>
1966 <affects base="0.9.8" version="0.9.8a"/>
1967 <affects base="0.9.8" version="0.9.8b"/>
1968 <affects base="0.9.8" version="0.9.8c"/>
1969 <affects base="0.9.8" version="0.9.8d"/>
1970 <affects base="0.9.8" version="0.9.8e"/>
1971 <affects base="0.9.8" version="0.9.8f"/>
1972 <affects base="0.9.8" version="0.9.8g"/>
1973 <affects base="0.9.8" version="0.9.8h"/>
1974 <affects base="0.9.8" version="0.9.8i"/>
1975 <affects base="0.9.8" version="0.9.8j"/>
1976 <affects base="0.9.8" version="0.9.8k"/>
1977 <affects base="0.9.8" version="0.9.8l"/>
1978 <fixed base="0.9.8" version="0.9.8m" date="20100120"/>
1979 <advisory url="http://www.openssl.org/news/secadv_20091111.txt"/>
1981 Implement RFC5746 to address vulnerabilities in SSL/TLS renegotiation.
1985 <issue public="20090205">
1986 <cve name="2009-1387"/>
1987 <affects base="0.9.8" version="0.9.8"/>
1988 <affects base="0.9.8" version="0.9.8a"/>
1989 <affects base="0.9.8" version="0.9.8b"/>
1990 <affects base="0.9.8" version="0.9.8c"/>
1991 <affects base="0.9.8" version="0.9.8d"/>
1992 <affects base="0.9.8" version="0.9.8e"/>
1993 <affects base="0.9.8" version="0.9.8f"/>
1994 <affects base="0.9.8" version="0.9.8g"/>
1995 <affects base="0.9.8" version="0.9.8h"/>
1996 <affects base="0.9.8" version="0.9.8i"/>
1997 <affects base="0.9.8" version="0.9.8j"/>
1998 <affects base="0.9.8" version="0.9.8k"/>
1999 <affects base="0.9.8" version="0.9.8l"/>
2000 <fixed base="0.9.8" version="0.9.8m" date="20100120"/>
2001 <reported source="Robin Seggelmann"/>
2003 Fix denial of service flaw due in the DTLS implementation. A
2004 remote attacker could use this flaw to cause a DTLS server to crash.
2008 <issue public="20090512">
2009 <cve name="2009-1377"/>
2010 <cve name="2009-1378"/>
2011 <cve name="2009-1379"/>
2012 <affects base="0.9.8" version="0.9.8"/>
2013 <affects base="0.9.8" version="0.9.8a"/>
2014 <affects base="0.9.8" version="0.9.8b"/>
2015 <affects base="0.9.8" version="0.9.8c"/>
2016 <affects base="0.9.8" version="0.9.8d"/>
2017 <affects base="0.9.8" version="0.9.8e"/>
2018 <affects base="0.9.8" version="0.9.8f"/>
2019 <affects base="0.9.8" version="0.9.8g"/>
2020 <affects base="0.9.8" version="0.9.8h"/>
2021 <affects base="0.9.8" version="0.9.8i"/>
2022 <affects base="0.9.8" version="0.9.8j"/>
2023 <affects base="0.9.8" version="0.9.8k"/>
2024 <affects base="0.9.8" version="0.9.8l"/>
2025 <fixed base="0.9.8" version="0.9.8m" date="20100120"/>
2026 <reported source="Daniel Mentz, Robin Seggelmann"/>
2028 Fix denial of service flaws in the DTLS implementation. A
2029 remote attacker could use these flaws to cause a DTLS server to use
2030 excessive amounts of memory, or crash.
2034 <issue public="20100113">
2035 <cve name="2009-4355"/>
2036 <affects base="0.9.8" version="0.9.8"/>
2037 <affects base="0.9.8" version="0.9.8a"/>
2038 <affects base="0.9.8" version="0.9.8b"/>
2039 <affects base="0.9.8" version="0.9.8c"/>
2040 <affects base="0.9.8" version="0.9.8d"/>
2041 <affects base="0.9.8" version="0.9.8e"/>
2042 <affects base="0.9.8" version="0.9.8f"/>
2043 <affects base="0.9.8" version="0.9.8g"/>
2044 <affects base="0.9.8" version="0.9.8h"/>
2045 <affects base="0.9.8" version="0.9.8i"/>
2046 <affects base="0.9.8" version="0.9.8j"/>
2047 <affects base="0.9.8" version="0.9.8k"/>
2048 <affects base="0.9.8" version="0.9.8l"/>
2049 <fixed base="0.9.8" version="0.9.8m" date="20100120"/>
2050 <reported source="Michael K Johnson and Andy Grimm (rPath)"/>
2052 A memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c
2053 allows remote attackers to cause a denial of service
2054 via vectors that trigger incorrect calls to the CRYPTO_cleanup_all_ex_data
2059 <issue public="20100223">
2060 <cve name="2009-3245"/>
2061 <affects base="0.9.8" version="0.9.8"/>
2062 <affects base="0.9.8" version="0.9.8a"/>
2063 <affects base="0.9.8" version="0.9.8b"/>
2064 <affects base="0.9.8" version="0.9.8c"/>
2065 <affects base="0.9.8" version="0.9.8d"/>
2066 <affects base="0.9.8" version="0.9.8e"/>
2067 <affects base="0.9.8" version="0.9.8f"/>
2068 <affects base="0.9.8" version="0.9.8g"/>
2069 <affects base="0.9.8" version="0.9.8h"/>
2070 <affects base="0.9.8" version="0.9.8i"/>
2071 <affects base="0.9.8" version="0.9.8j"/>
2072 <affects base="0.9.8" version="0.9.8k"/>
2073 <affects base="0.9.8" version="0.9.8l"/>
2074 <fixed base="0.9.8" version="0.9.8m" date="20100120"/>
2075 <reported source="Martin Olsson, Neel Mehta"/>
2077 It was discovered that OpenSSL did not always check the return value of the
2078 bn_wexpand() function. An attacker able to trigger a memory allocation failure
2079 in that function could cause an application using the OpenSSL library to crash
2080 or, possibly, execute arbitrary code
2084 <issue public="20100119">
2085 <cve name="2010-0433"/>
2086 <affects base="0.9.8" version="0.9.8"/>
2087 <affects base="0.9.8" version="0.9.8a"/>
2088 <affects base="0.9.8" version="0.9.8b"/>
2089 <affects base="0.9.8" version="0.9.8c"/>
2090 <affects base="0.9.8" version="0.9.8d"/>
2091 <affects base="0.9.8" version="0.9.8e"/>
2092 <affects base="0.9.8" version="0.9.8f"/>
2093 <affects base="0.9.8" version="0.9.8g"/>
2094 <affects base="0.9.8" version="0.9.8h"/>
2095 <affects base="0.9.8" version="0.9.8i"/>
2096 <affects base="0.9.8" version="0.9.8j"/>
2097 <affects base="0.9.8" version="0.9.8k"/>
2098 <affects base="0.9.8" version="0.9.8l"/>
2099 <affects base="0.9.8" version="0.9.8m"/>
2100 <fixed base="0.9.8" version="0.9.8n" date="20100324"/>
2101 <reported source="Todd Rinaldo, Tomas Hoger (Red Hat)"/>
2103 A missing return value check flaw was discovered in OpenSSL, that could
2104 possibly cause OpenSSL to call a Kerberos library function with invalid
2105 arguments, resulting in a NULL pointer dereference crash in the MIT
2106 Kerberos library. In certain configurations, a remote attacker could use
2107 this flaw to crash a TLS/SSL server using OpenSSL by requesting Kerberos
2108 cipher suites during the TLS handshake
2112 <issue public="20100324">
2113 <cve name="2010-0740"/>
2114 <affects base="0.9.8" version="0.9.8f"/>
2115 <affects base="0.9.8" version="0.9.8g"/>
2116 <affects base="0.9.8" version="0.9.8h"/>
2117 <affects base="0.9.8" version="0.9.8i"/>
2118 <affects base="0.9.8" version="0.9.8j"/>
2119 <affects base="0.9.8" version="0.9.8k"/>
2120 <affects base="0.9.8" version="0.9.8l"/>
2121 <affects base="0.9.8" version="0.9.8m"/>
2122 <fixed base="0.9.8" version="0.9.8n" date="20100324"/>
2123 <advisory url="http://www.openssl.org/news/secadv_20100324.txt"/>
2124 <reported source="Bodo Moeller and Adam Langley (Google)"/>
2126 In TLS connections, certain incorrectly formatted records can cause an
2127 OpenSSL client or server to crash due to a read attempt at NULL.
2131 <issue public="20100601">
2132 <cve name="2010-0742"/>
2133 <affects base="1.0.0" version="1.0.0"/>
2134 <affects base="0.9.8" version="0.9.8h"/>
2135 <affects base="0.9.8" version="0.9.8i"/>
2136 <affects base="0.9.8" version="0.9.8j"/>
2137 <affects base="0.9.8" version="0.9.8k"/>
2138 <affects base="0.9.8" version="0.9.8l"/>
2139 <affects base="0.9.8" version="0.9.8m"/>
2140 <affects base="0.9.8" version="0.9.8n"/>
2141 <fixed base="0.9.8" version="0.9.8o" date="20100601"/>
2142 <fixed base="1.0.0" version="1.0.0a" date="20100601"/>
2143 <advisory url="http://www.openssl.org/news/secadv_20100601.txt"/>
2144 <reported source="Ronald Moesbergen"/>
2146 A flaw in the handling of CMS structures containing OriginatorInfo was found which
2147 could lead to a write to invalid memory address or double free. CMS support is
2148 disabled by default in OpenSSL 0.9.8 versions.
2152 <issue public="20100601">
2153 <cve name="2010-1633"/>
2154 <affects base="1.0.0" version="1.0.0"/>
2155 <fixed base="1.0.0" version="1.0.0a" date="20100601"/>
2156 <advisory url="http://www.openssl.org/news/secadv_20100601.txt"/>
2157 <reported source="Peter-Michael Hager"/>
2159 An invalid Return value check in pkey_rsa_verifyrecover was
2160 discovered. When verification recovery fails for RSA keys an
2161 uninitialised buffer with an undefined length is returned instead of
2162 an error code. This could lead to an information leak.
2166 <issue public="20101116">
2167 <cve name="2010-3864"/>
2168 <affects base="0.9.8" version="0.9.8"/>
2169 <affects base="0.9.8" version="0.9.8a"/>
2170 <affects base="0.9.8" version="0.9.8b"/>
2171 <affects base="0.9.8" version="0.9.8c"/>
2172 <affects base="0.9.8" version="0.9.8d"/>
2173 <affects base="0.9.8" version="0.9.8e"/>
2174 <affects base="0.9.8" version="0.9.8f"/>
2175 <affects base="0.9.8" version="0.9.8g"/>
2176 <affects base="0.9.8" version="0.9.8h"/>
2177 <affects base="0.9.8" version="0.9.8i"/>
2178 <affects base="0.9.8" version="0.9.8j"/>
2179 <affects base="0.9.8" version="0.9.8k"/>
2180 <affects base="0.9.8" version="0.9.8l"/>
2181 <affects base="0.9.8" version="0.9.8m"/>
2182 <affects base="0.9.8" version="0.9.8n"/>
2183 <affects base="0.9.8" version="0.9.8o"/>
2184 <affects base="1.0.0" version="1.0.0"/>
2185 <affects base="1.0.0" version="1.0.0a"/>
2186 <fixed base="1.0.0" version="1.0.0b" date="20101116"/>
2187 <fixed base="0.9.8" version="0.9.8p" date="20101116"/>
2188 <advisory url="http://www.openssl.org/news/secadv_20101116.txt"/>
2189 <reported source="Rob Hulswit"/>
2192 A flaw in the OpenSSL TLS server extension code parsing which on
2193 affected servers can be exploited in a buffer overrun attack. Any
2194 OpenSSL based TLS server is vulnerable if it is multi-threaded and
2195 uses OpenSSL's internal caching mechanism. Servers that are
2196 multi-process and/or disable internal session caching are NOT
2202 <issue public="20101202">
2203 <cve name="2010-4252"/>
2204 <affects base="1.0.0" version="1.0.0"/>
2205 <affects base="1.0.0" version="1.0.0a"/>
2206 <affects base="1.0.0" version="1.0.0b"/>
2207 <fixed base="1.0.0" version="1.0.0c" date="20101202"/>
2208 <advisory url="http://www.openssl.org/news/secadv_20101202.txt"/>
2209 <reported source="Sebastian Martini"/>
2211 An error in OpenSSL's experimental J-PAKE implementation which could
2212 lead to successful validation by someone with no knowledge of the
2213 shared secret. The OpenSSL Team still consider the implementation of
2214 J-PAKE to be experimental and is not compiled by default.
2218 <issue public="20101202">
2219 <cve name="2010-4180"/>
2220 <affects base="0.9.8" version="0.9.8"/>
2221 <affects base="0.9.8" version="0.9.8a"/>
2222 <affects base="0.9.8" version="0.9.8b"/>
2223 <affects base="0.9.8" version="0.9.8c"/>
2224 <affects base="0.9.8" version="0.9.8d"/>
2225 <affects base="0.9.8" version="0.9.8e"/>
2226 <affects base="0.9.8" version="0.9.8f"/>
2227 <affects base="0.9.8" version="0.9.8g"/>
2228 <affects base="0.9.8" version="0.9.8h"/>
2229 <affects base="0.9.8" version="0.9.8i"/>
2230 <affects base="0.9.8" version="0.9.8j"/>
2231 <affects base="0.9.8" version="0.9.8k"/>
2232 <affects base="0.9.8" version="0.9.8l"/>
2233 <affects base="0.9.8" version="0.9.8m"/>
2234 <affects base="0.9.8" version="0.9.8n"/>
2235 <affects base="0.9.8" version="0.9.8o"/>
2236 <affects base="0.9.8" version="0.9.8p"/>
2237 <affects base="1.0.0" version="1.0.0"/>
2238 <affects base="1.0.0" version="1.0.0a"/>
2239 <affects base="1.0.0" version="1.0.0b"/>
2240 <fixed base="1.0.0" version="1.0.0c" date="20101202"/>
2241 <fixed base="0.9.8" version="0.9.8q" date="20101202"/>
2242 <advisory url="http://www.openssl.org/news/secadv_20101202.txt"/>
2243 <reported source="Martin Rex"/>
2245 A flaw in the OpenSSL SSL/TLS server code where an old bug workaround
2246 allows malicious clients to modify the stored session cache
2247 ciphersuite. In some cases the ciphersuite can be downgraded to a
2248 weaker one on subsequent connections. This issue only affects OpenSSL
2249 based SSL/TLS server if it uses OpenSSL's internal caching mechanisms
2250 and the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG flag (many
2251 applications enable this by using the SSL_OP_ALL option).
2255 <issue public="20110906">
2256 <cve name="2011-3207"/>
2257 <affects base="1.0.0" version="1.0.0"/>
2258 <affects base="1.0.0" version="1.0.0a"/>
2259 <affects base="1.0.0" version="1.0.0b"/>
2260 <affects base="1.0.0" version="1.0.0c"/>
2261 <affects base="1.0.0" version="1.0.0d"/>
2262 <fixed base="1.0.0" version="1.0.0e" date="20110906"/>
2263 <advisory url="http://www.openssl.org/news/secadv_20110906.txt"/>
2264 <reported source="Kaspar Brand"/>
2266 Under certain circumstances OpenSSL's internal certificate
2267 verification routines can incorrectly accept a CRL whose nextUpdate
2268 field is in the past. Applications are only affected by the CRL
2269 checking vulnerability if they enable OpenSSL's internal CRL checking
2270 which is off by default. Applications which use their own custom CRL
2271 checking (such as Apache) are not affected.
2275 <issue public="20110906">
2276 <cve name="2011-3210"/>
2277 <affects base="0.9.8" version="0.9.8"/>
2278 <affects base="0.9.8" version="0.9.8a"/>
2279 <affects base="0.9.8" version="0.9.8b"/>
2280 <affects base="0.9.8" version="0.9.8c"/>
2281 <affects base="0.9.8" version="0.9.8d"/>
2282 <affects base="0.9.8" version="0.9.8e"/>
2283 <affects base="0.9.8" version="0.9.8f"/>
2284 <affects base="0.9.8" version="0.9.8g"/>
2285 <affects base="0.9.8" version="0.9.8h"/>
2286 <affects base="0.9.8" version="0.9.8i"/>
2287 <affects base="0.9.8" version="0.9.8j"/>
2288 <affects base="0.9.8" version="0.9.8k"/>
2289 <affects base="0.9.8" version="0.9.8l"/>
2290 <affects base="0.9.8" version="0.9.8m"/>
2291 <affects base="0.9.8" version="0.9.8n"/>
2292 <affects base="0.9.8" version="0.9.8o"/>
2293 <affects base="0.9.8" version="0.9.8p"/>
2294 <affects base="0.9.8" version="0.9.8q"/>
2295 <affects base="0.9.8" version="0.9.8r"/>
2296 <affects base="1.0.0" version="1.0.0"/>
2297 <affects base="1.0.0" version="1.0.0a"/>
2298 <affects base="1.0.0" version="1.0.0b"/>
2299 <affects base="1.0.0" version="1.0.0c"/>
2300 <affects base="1.0.0" version="1.0.0d"/>
2301 <fixed base="1.0.0" version="1.0.0e" date="20110906"/>
2302 <advisory url="http://www.openssl.org/news/secadv_20110906.txt"/>
2303 <reported source="Adam Langley"/>
2305 OpenSSL server code for ephemeral ECDH ciphersuites is not
2306 thread-safe, and furthermore can crash if a client violates the
2307 protocol by sending handshake messages in incorrect order. Only
2308 server-side applications that specifically support ephemeral ECDH
2309 ciphersuites are affected, and only if ephemeral ECDH ciphersuites are
2310 enabled in the configuration.
2314 <issue public="20120104">
2315 <cve name="2011-4108"/>
2316 <affects base="0.9.8" version="0.9.8"/>
2317 <affects base="0.9.8" version="0.9.8a"/>
2318 <affects base="0.9.8" version="0.9.8b"/>
2319 <affects base="0.9.8" version="0.9.8c"/>
2320 <affects base="0.9.8" version="0.9.8d"/>
2321 <affects base="0.9.8" version="0.9.8e"/>
2322 <affects base="0.9.8" version="0.9.8f"/>
2323 <affects base="0.9.8" version="0.9.8g"/>
2324 <affects base="0.9.8" version="0.9.8h"/>
2325 <affects base="0.9.8" version="0.9.8i"/>
2326 <affects base="0.9.8" version="0.9.8j"/>
2327 <affects base="0.9.8" version="0.9.8k"/>
2328 <affects base="0.9.8" version="0.9.8l"/>
2329 <affects base="0.9.8" version="0.9.8m"/>
2330 <affects base="0.9.8" version="0.9.8n"/>
2331 <affects base="0.9.8" version="0.9.8o"/>
2332 <affects base="0.9.8" version="0.9.8p"/>
2333 <affects base="0.9.8" version="0.9.8q"/>
2334 <affects base="0.9.8" version="0.9.8r"/>
2335 <affects base="1.0.0" version="1.0.0"/>
2336 <affects base="1.0.0" version="1.0.0a"/>
2337 <affects base="1.0.0" version="1.0.0b"/>
2338 <affects base="1.0.0" version="1.0.0c"/>
2339 <affects base="1.0.0" version="1.0.0d"/>
2340 <affects base="1.0.0" version="1.0.0e"/>
2341 <fixed base="1.0.0" version="1.0.0f" date="20120104"/>
2342 <fixed base="0.9.8" version="0.9.8s" date="20120104"/>
2343 <advisory url="http://www.openssl.org/news/secadv_20120104.txt"/>
2344 <reported source="Nadhem Alfardan and Kenny Paterson"/>
2346 OpenSSL was susceptable an extension of the
2347 Vaudenay padding oracle attack on CBC mode encryption which enables an
2348 efficient plaintext recovery attack against the OpenSSL implementation
2349 of DTLS by exploiting timing differences arising during
2350 decryption processing.
2354 <issue public="20120104">
2355 <cve name="2011-4109"/>
2356 <affects base="0.9.8" version="0.9.8"/>
2357 <affects base="0.9.8" version="0.9.8a"/>
2358 <affects base="0.9.8" version="0.9.8b"/>
2359 <affects base="0.9.8" version="0.9.8c"/>
2360 <affects base="0.9.8" version="0.9.8d"/>
2361 <affects base="0.9.8" version="0.9.8e"/>
2362 <affects base="0.9.8" version="0.9.8f"/>
2363 <affects base="0.9.8" version="0.9.8g"/>
2364 <affects base="0.9.8" version="0.9.8h"/>
2365 <affects base="0.9.8" version="0.9.8i"/>
2366 <affects base="0.9.8" version="0.9.8j"/>
2367 <affects base="0.9.8" version="0.9.8k"/>
2368 <affects base="0.9.8" version="0.9.8l"/>
2369 <affects base="0.9.8" version="0.9.8m"/>
2370 <affects base="0.9.8" version="0.9.8n"/>
2371 <affects base="0.9.8" version="0.9.8o"/>
2372 <affects base="0.9.8" version="0.9.8p"/>
2373 <affects base="0.9.8" version="0.9.8q"/>
2374 <affects base="0.9.8" version="0.9.8r"/>
2375 <fixed base="0.9.8" version="0.9.8s" date="20120104"/>
2376 <advisory url="http://www.openssl.org/news/secadv_20120104.txt"/>
2377 <reported source="Ben Laurie"/>
2379 If X509_V_FLAG_POLICY_CHECK is set in OpenSSL 0.9.8, then a policy
2380 check failure can lead to a double-free. The bug does not occur
2381 unless this flag is set. Users of OpenSSL 1.0.0 are not affected
2385 <issue public="20120104">
2386 <cve name="2011-4576"/>
2387 <affects base="0.9.8" version="0.9.8"/>
2388 <affects base="0.9.8" version="0.9.8a"/>
2389 <affects base="0.9.8" version="0.9.8b"/>
2390 <affects base="0.9.8" version="0.9.8c"/>
2391 <affects base="0.9.8" version="0.9.8d"/>
2392 <affects base="0.9.8" version="0.9.8e"/>
2393 <affects base="0.9.8" version="0.9.8f"/>
2394 <affects base="0.9.8" version="0.9.8g"/>
2395 <affects base="0.9.8" version="0.9.8h"/>
2396 <affects base="0.9.8" version="0.9.8i"/>
2397 <affects base="0.9.8" version="0.9.8j"/>
2398 <affects base="0.9.8" version="0.9.8k"/>
2399 <affects base="0.9.8" version="0.9.8l"/>
2400 <affects base="0.9.8" version="0.9.8m"/>
2401 <affects base="0.9.8" version="0.9.8n"/>
2402 <affects base="0.9.8" version="0.9.8o"/>
2403 <affects base="0.9.8" version="0.9.8p"/>
2404 <affects base="0.9.8" version="0.9.8q"/>
2405 <affects base="0.9.8" version="0.9.8r"/>
2406 <affects base="1.0.0" version="1.0.0"/>
2407 <affects base="1.0.0" version="1.0.0a"/>
2408 <affects base="1.0.0" version="1.0.0b"/>
2409 <affects base="1.0.0" version="1.0.0c"/>
2410 <affects base="1.0.0" version="1.0.0d"/>
2411 <affects base="1.0.0" version="1.0.0e"/>
2412 <fixed base="1.0.0" version="1.0.0f" date="20120104"/>
2413 <fixed base="0.9.8" version="0.9.8s" date="20120104"/>
2414 <advisory url="http://www.openssl.org/news/secadv_20120104.txt"/>
2415 <reported source="Adam Langley"/>
2417 OpenSSL failed to clear the bytes used as
2418 block cipher padding in SSL 3.0 records which could leak
2419 the contents of memory in some circumstances.
2423 <issue public="20120104">
2424 <cve name="2011-4577"/>
2425 <affects base="0.9.8" version="0.9.8"/>
2426 <affects base="0.9.8" version="0.9.8a"/>
2427 <affects base="0.9.8" version="0.9.8b"/>
2428 <affects base="0.9.8" version="0.9.8c"/>
2429 <affects base="0.9.8" version="0.9.8d"/>
2430 <affects base="0.9.8" version="0.9.8e"/>
2431 <affects base="0.9.8" version="0.9.8f"/>
2432 <affects base="0.9.8" version="0.9.8g"/>
2433 <affects base="0.9.8" version="0.9.8h"/>
2434 <affects base="0.9.8" version="0.9.8i"/>
2435 <affects base="0.9.8" version="0.9.8j"/>
2436 <affects base="0.9.8" version="0.9.8k"/>
2437 <affects base="0.9.8" version="0.9.8l"/>
2438 <affects base="0.9.8" version="0.9.8m"/>
2439 <affects base="0.9.8" version="0.9.8n"/>
2440 <affects base="0.9.8" version="0.9.8o"/>
2441 <affects base="0.9.8" version="0.9.8p"/>
2442 <affects base="0.9.8" version="0.9.8q"/>
2443 <affects base="0.9.8" version="0.9.8r"/>
2444 <affects base="1.0.0" version="1.0.0"/>
2445 <affects base="1.0.0" version="1.0.0a"/>
2446 <affects base="1.0.0" version="1.0.0b"/>
2447 <affects base="1.0.0" version="1.0.0c"/>
2448 <affects base="1.0.0" version="1.0.0d"/>
2449 <affects base="1.0.0" version="1.0.0e"/>
2450 <fixed base="1.0.0" version="1.0.0f" date="20120104"/>
2451 <fixed base="0.9.8" version="0.9.8s" date="20120104"/>
2452 <advisory url="http://www.openssl.org/news/secadv_20120104.txt"/>
2453 <reported source="Andrew Chi"/>
2455 RFC 3779 data can be included in certificates, and if it is malformed,
2456 may trigger an assertion failure. This could be used in a
2457 denial-of-service attack. Builds of OpenSSL are only vulnerable if configured with
2458 "enable-rfc3779", which is not a default.
2462 <issue public="20120104">
2463 <cve name="2011-4619"/>
2464 <affects base="0.9.8" version="0.9.8"/>
2465 <affects base="0.9.8" version="0.9.8a"/>
2466 <affects base="0.9.8" version="0.9.8b"/>
2467 <affects base="0.9.8" version="0.9.8c"/>
2468 <affects base="0.9.8" version="0.9.8d"/>
2469 <affects base="0.9.8" version="0.9.8e"/>
2470 <affects base="0.9.8" version="0.9.8f"/>
2471 <affects base="0.9.8" version="0.9.8g"/>
2472 <affects base="0.9.8" version="0.9.8h"/>
2473 <affects base="0.9.8" version="0.9.8i"/>
2474 <affects base="0.9.8" version="0.9.8j"/>
2475 <affects base="0.9.8" version="0.9.8k"/>
2476 <affects base="0.9.8" version="0.9.8l"/>
2477 <affects base="0.9.8" version="0.9.8m"/>
2478 <affects base="0.9.8" version="0.9.8n"/>
2479 <affects base="0.9.8" version="0.9.8o"/>
2480 <affects base="0.9.8" version="0.9.8p"/>
2481 <affects base="0.9.8" version="0.9.8q"/>
2482 <affects base="0.9.8" version="0.9.8r"/>
2483 <affects base="1.0.0" version="1.0.0"/>
2484 <affects base="1.0.0" version="1.0.0a"/>
2485 <affects base="1.0.0" version="1.0.0b"/>
2486 <affects base="1.0.0" version="1.0.0c"/>
2487 <affects base="1.0.0" version="1.0.0d"/>
2488 <affects base="1.0.0" version="1.0.0e"/>
2489 <fixed base="1.0.0" version="1.0.0f" date="20120104"/>
2490 <fixed base="0.9.8" version="0.9.8s" date="20120104"/>
2491 <advisory url="http://www.openssl.org/news/secadv_20120104.txt"/>
2492 <reported source="George Kadianakis"/>
2494 Support for handshake restarts for server gated cryptograpy (SGC) can
2495 be used in a denial-of-service attack.
2499 <issue public="20120104">
2500 <cve name="2012-0027"/>
2501 <affects base="1.0.0" version="1.0.0"/>
2502 <affects base="1.0.0" version="1.0.0a"/>
2503 <affects base="1.0.0" version="1.0.0b"/>
2504 <affects base="1.0.0" version="1.0.0c"/>
2505 <affects base="1.0.0" version="1.0.0d"/>
2506 <affects base="1.0.0" version="1.0.0e"/>
2507 <fixed base="1.0.0" version="1.0.0f" date="20120104"/>
2508 <advisory url="http://www.openssl.org/news/secadv_20120104.txt"/>
2509 <reported source="Andrey Kulikov"/>
2511 A malicious TLS client can send an invalid set of GOST parameters
2512 which will cause the server to crash due to lack of error checking.
2513 This could be used in a denial-of-service attack.
2514 Only users of the OpenSSL GOST ENGINE are affected by this bug.
2518 <issue public="20120104">
2519 <cve name="2012-0050"/>
2520 <affects base="0.9.8" version="0.9.8s"/>
2521 <affects base="1.0.0" version="1.0.0f"/>
2522 <fixed base="1.0.0" version="1.0.0g" date="20120118"/>
2523 <fixed base="0.9.8" version="0.9.8t" date="20120118"/>
2524 <advisory url="http://www.openssl.org/news/secadv_20120118.txt"/>
2525 <reported source="Antonio Martin"/>
2527 A flaw in the fix to CVE-2011-4108 can be exploited in a denial of
2528 service attack. Only DTLS applications are affected.
2532 <issue public="20120312">
2533 <cve name="2012-0884"/>
2534 <affects base="0.9.8" version="0.9.8"/>
2535 <affects base="0.9.8" version="0.9.8a"/>
2536 <affects base="0.9.8" version="0.9.8b"/>
2537 <affects base="0.9.8" version="0.9.8c"/>
2538 <affects base="0.9.8" version="0.9.8d"/>
2539 <affects base="0.9.8" version="0.9.8e"/>
2540 <affects base="0.9.8" version="0.9.8f"/>
2541 <affects base="0.9.8" version="0.9.8g"/>
2542 <affects base="0.9.8" version="0.9.8h"/>
2543 <affects base="0.9.8" version="0.9.8i"/>
2544 <affects base="0.9.8" version="0.9.8j"/>
2545 <affects base="0.9.8" version="0.9.8k"/>
2546 <affects base="0.9.8" version="0.9.8l"/>
2547 <affects base="0.9.8" version="0.9.8m"/>
2548 <affects base="0.9.8" version="0.9.8n"/>
2549 <affects base="0.9.8" version="0.9.8o"/>
2550 <affects base="0.9.8" version="0.9.8p"/>
2551 <affects base="0.9.8" version="0.9.8q"/>
2552 <affects base="0.9.8" version="0.9.8r"/>
2553 <affects base="0.9.8" version="0.9.8s"/>
2554 <affects base="0.9.8" version="0.9.8t"/>
2555 <affects base="1.0.0" version="1.0.0"/>
2556 <affects base="1.0.0" version="1.0.0a"/>
2557 <affects base="1.0.0" version="1.0.0b"/>
2558 <affects base="1.0.0" version="1.0.0c"/>
2559 <affects base="1.0.0" version="1.0.0d"/>
2560 <affects base="1.0.0" version="1.0.0e"/>
2561 <affects base="1.0.0" version="1.0.0f"/>
2562 <affects base="1.0.0" version="1.0.0g"/>
2563 <fixed base="1.0.0" version="1.0.0h" date="20120312"/>
2564 <fixed base="0.9.8" version="0.9.8u" date="20120312"/>
2565 <advisory url="http://www.openssl.org/news/secadv_20120312.txt"/>
2566 <reported source="Ivan Nestlerode"/>
2568 A weakness in the OpenSSL CMS and PKCS #7 code can be exploited
2569 using Bleichenbacher's attack on PKCS #1 v1.5 RSA padding
2570 also known as the million message attack (MMA).
2571 Only users of CMS, PKCS #7, or S/MIME decryption operations are affected,
2572 SSL/TLS applications are not affected by this issue.
2577 <issue public="20110208">
2578 <cve name="2011-0014"/>
2579 <affects base="0.9.8" version="0.9.8h"/>
2580 <affects base="0.9.8" version="0.9.8i"/>
2581 <affects base="0.9.8" version="0.9.8j"/>
2582 <affects base="0.9.8" version="0.9.8k"/>
2583 <affects base="0.9.8" version="0.9.8l"/>
2584 <affects base="0.9.8" version="0.9.8m"/>
2585 <affects base="0.9.8" version="0.9.8n"/>
2586 <affects base="0.9.8" version="0.9.8o"/>
2587 <affects base="0.9.8" version="0.9.8p"/>
2588 <affects base="0.9.8" version="0.9.8q"/>
2589 <affects base="1.0.0" version="1.0.0"/>
2590 <affects base="1.0.0" version="1.0.0a"/>
2591 <affects base="1.0.0" version="1.0.0b"/>
2592 <affects base="1.0.0" version="1.0.0c"/>
2593 <fixed base="1.0.0" version="1.0.0d" date="20110208"/>
2594 <fixed base="0.9.8" version="0.9.8r" date="20110208"/>
2595 <advisory url="http://www.openssl.org/news/secadv_20110208.txt"/>
2596 <reported source="Neel Mehta"/>
2598 A buffer over-read flaw was discovered in the way OpenSSL parsed the
2599 Certificate Status Request TLS extensions in ClientHello TLS handshake
2600 messages. A remote attacker could possibly use this flaw to crash an SSL
2601 server using the affected OpenSSL functionality.
2605 <issue public="20120424">
2606 <cve name="2012-2131"/>
2607 <affects base="0.9.8" version="0.9.8v"/>
2608 <fixed base="0.9.8" version="0.9.8w" date="20120424"/>
2609 <advisory url="http://www.openssl.org/news/secadv_20120424.txt"/>
2610 <reported source="Red Hat"/>
2612 It was discovered that the fix for CVE-2012-2110 released on 19 Apr
2613 2012 was not sufficient to correct the issue for OpenSSL 0.9.8. This
2614 issue only affects OpenSSL 0.9.8v. OpenSSL 1.0.1a and 1.0.0i already
2615 contain a patch sufficient to correct CVE-2012-2110.
2620 <issue public="20120419">
2621 <cve name="2012-2110"/>
2622 <affects base="0.9.8" version="0.9.8"/>
2623 <affects base="0.9.8" version="0.9.8a"/>
2624 <affects base="0.9.8" version="0.9.8b"/>
2625 <affects base="0.9.8" version="0.9.8c"/>
2626 <affects base="0.9.8" version="0.9.8d"/>
2627 <affects base="0.9.8" version="0.9.8e"/>
2628 <affects base="0.9.8" version="0.9.8f"/>
2629 <affects base="0.9.8" version="0.9.8g"/>
2630 <affects base="0.9.8" version="0.9.8h"/>
2631 <affects base="0.9.8" version="0.9.8i"/>
2632 <affects base="0.9.8" version="0.9.8j"/>
2633 <affects base="0.9.8" version="0.9.8k"/>
2634 <affects base="0.9.8" version="0.9.8l"/>
2635 <affects base="0.9.8" version="0.9.8m"/>
2636 <affects base="0.9.8" version="0.9.8n"/>
2637 <affects base="0.9.8" version="0.9.8o"/>
2638 <affects base="0.9.8" version="0.9.8p"/>
2639 <affects base="0.9.8" version="0.9.8q"/>
2640 <affects base="0.9.8" version="0.9.8r"/>
2641 <affects base="0.9.8" version="0.9.8s"/>
2642 <affects base="0.9.8" version="0.9.8t"/>
2643 <affects base="0.9.8" version="0.9.8u"/>
2644 <affects base="1.0.0" version="1.0.0"/>
2645 <affects base="1.0.0" version="1.0.0a"/>
2646 <affects base="1.0.0" version="1.0.0b"/>
2647 <affects base="1.0.0" version="1.0.0c"/>
2648 <affects base="1.0.0" version="1.0.0d"/>
2649 <affects base="1.0.0" version="1.0.0e"/>
2650 <affects base="1.0.0" version="1.0.0f"/>
2651 <affects base="1.0.0" version="1.0.0g"/>
2652 <affects base="1.0.1" version="1.0.1"/>
2653 <fixed base="1.0.1" version="1.0.1a" date="20120419"/>
2654 <fixed base="1.0.0" version="1.0.0i" date="20120419"/>
2655 <fixed base="0.9.8" version="0.9.8v" date="20120419"/>
2656 <advisory url="http://www.openssl.org/news/secadv_20120419.txt"/>
2657 <reported source="Tavis Ormandy"/>
2659 Multiple numeric conversion errors, leading to a buffer overflow, were
2660 found in the way OpenSSL parsed ASN.1 (Abstract Syntax Notation One) data
2661 from BIO (OpenSSL's I/O abstraction) inputs. Specially-crafted DER
2662 (Distinguished Encoding Rules) encoded data read from a file or other BIO
2663 input could cause an application using the OpenSSL library to crash or,
2664 potentially, execute arbitrary code.
2668 <issue public="20120510">
2669 <cve name="2012-2333"/>
2670 <affects base="0.9.8" version="0.9.8"/>
2671 <affects base="0.9.8" version="0.9.8a"/>
2672 <affects base="0.9.8" version="0.9.8b"/>
2673 <affects base="0.9.8" version="0.9.8c"/>
2674 <affects base="0.9.8" version="0.9.8d"/>
2675 <affects base="0.9.8" version="0.9.8e"/>
2676 <affects base="0.9.8" version="0.9.8f"/>
2677 <affects base="0.9.8" version="0.9.8g"/>
2678 <affects base="0.9.8" version="0.9.8h"/>
2679 <affects base="0.9.8" version="0.9.8i"/>
2680 <affects base="0.9.8" version="0.9.8j"/>
2681 <affects base="0.9.8" version="0.9.8k"/>
2682 <affects base="0.9.8" version="0.9.8l"/>
2683 <affects base="0.9.8" version="0.9.8m"/>
2684 <affects base="0.9.8" version="0.9.8n"/>
2685 <affects base="0.9.8" version="0.9.8o"/>
2686 <affects base="0.9.8" version="0.9.8p"/>
2687 <affects base="0.9.8" version="0.9.8q"/>
2688 <affects base="0.9.8" version="0.9.8r"/>
2689 <affects base="0.9.8" version="0.9.8s"/>
2690 <affects base="0.9.8" version="0.9.8t"/>
2691 <affects base="0.9.8" version="0.9.8u"/>
2692 <affects base="0.9.8" version="0.9.8v"/>
2693 <affects base="0.9.8" version="0.9.8w"/>
2694 <affects base="1.0.0" version="1.0.0"/>
2695 <affects base="1.0.0" version="1.0.0a"/>
2696 <affects base="1.0.0" version="1.0.0b"/>
2697 <affects base="1.0.0" version="1.0.0c"/>
2698 <affects base="1.0.0" version="1.0.0d"/>
2699 <affects base="1.0.0" version="1.0.0e"/>
2700 <affects base="1.0.0" version="1.0.0f"/>
2701 <affects base="1.0.0" version="1.0.0g"/>
2702 <affects base="1.0.0" version="1.0.0i"/>
2703 <affects base="1.0.1" version="1.0.1"/>
2704 <affects base="1.0.1" version="1.0.1a"/>
2705 <affects base="1.0.1" version="1.0.1b"/>
2706 <fixed base="1.0.1" version="1.0.1c" date="20120510"/>
2707 <fixed base="1.0.0" version="1.0.0j" date="20120510"/>
2708 <fixed base="0.9.8" version="0.9.8x" date="20120510"/>
2709 <advisory url="http://www.openssl.org/news/secadv_20120510.txt"/>
2710 <reported source="Codenomicon"/>
2712 An integer underflow flaw, leading to a buffer over-read, was found in
2713 the way OpenSSL handled TLS 1.1, TLS 1.2, and DTLS (Datagram Transport
2714 Layer Security) application data record lengths when using a block
2715 cipher in CBC (cipher-block chaining) mode. A malicious TLS 1.1, TLS
2716 1.2, or DTLS client or server could use this flaw to crash its connection
2721 <issue public="20130204">
2722 <cve name="2013-0169"/>
2723 <affects base="0.9.8" version="0.9.8"/>
2724 <affects base="0.9.8" version="0.9.8a"/>
2725 <affects base="0.9.8" version="0.9.8b"/>
2726 <affects base="0.9.8" version="0.9.8c"/>
2727 <affects base="0.9.8" version="0.9.8d"/>
2728 <affects base="0.9.8" version="0.9.8e"/>
2729 <affects base="0.9.8" version="0.9.8f"/>
2730 <affects base="0.9.8" version="0.9.8g"/>
2731 <affects base="0.9.8" version="0.9.8h"/>
2732 <affects base="0.9.8" version="0.9.8i"/>
2733 <affects base="0.9.8" version="0.9.8j"/>
2734 <affects base="0.9.8" version="0.9.8k"/>
2735 <affects base="0.9.8" version="0.9.8l"/>
2736 <affects base="0.9.8" version="0.9.8m"/>
2737 <affects base="0.9.8" version="0.9.8n"/>
2738 <affects base="0.9.8" version="0.9.8o"/>
2739 <affects base="0.9.8" version="0.9.8p"/>
2740 <affects base="0.9.8" version="0.9.8q"/>
2741 <affects base="0.9.8" version="0.9.8r"/>
2742 <affects base="0.9.8" version="0.9.8s"/>
2743 <affects base="0.9.8" version="0.9.8t"/>
2744 <affects base="0.9.8" version="0.9.8u"/>
2745 <affects base="0.9.8" version="0.9.8v"/>
2746 <affects base="0.9.8" version="0.9.8w"/>
2747 <affects base="0.9.8" version="0.9.8x"/>
2748 <affects base="1.0.0" version="1.0.0"/>
2749 <affects base="1.0.0" version="1.0.0a"/>
2750 <affects base="1.0.0" version="1.0.0b"/>
2751 <affects base="1.0.0" version="1.0.0c"/>
2752 <affects base="1.0.0" version="1.0.0d"/>
2753 <affects base="1.0.0" version="1.0.0e"/>
2754 <affects base="1.0.0" version="1.0.0f"/>
2755 <affects base="1.0.0" version="1.0.0g"/>
2756 <affects base="1.0.0" version="1.0.0i"/>
2757 <affects base="1.0.0" version="1.0.0j"/>
2758 <affects base="1.0.1" version="1.0.1"/>
2759 <affects base="1.0.1" version="1.0.1a"/>
2760 <affects base="1.0.1" version="1.0.1b"/>
2761 <affects base="1.0.1" version="1.0.1c"/>
2762 <fixed base="1.0.1" version="1.0.1d" date="20130205"/>
2763 <fixed base="1.0.0" version="1.0.0k" date="20130205"/>
2764 <fixed base="0.9.8" version="0.9.8y" date="20130205"/>
2765 <advisory url="http://www.openssl.org/news/secadv_20130205.txt"/>
2766 <reported source="Nadhem J. AlFardan and Kenneth G. Paterson of the Information Security Group Royal Holloway, University of London"/>
2768 A weakness in the handling of CBC ciphersuites in SSL, TLS and DTLS which could
2769 lead to plaintext recovery by exploiting timing differences
2770 arising during MAC processing.
2774 <issue public="20130205">
2775 <cve name="2012-2686"/>
2776 <affects base="1.0.1" version="1.0.1"/>
2777 <affects base="1.0.1" version="1.0.1a"/>
2778 <affects base="1.0.1" version="1.0.1b"/>
2779 <affects base="1.0.1" version="1.0.1c"/>
2780 <fixed base="1.0.1" version="1.0.1d" date="20130205"/>
2781 <advisory url="http://www.openssl.org/news/secadv_20130205.txt"/>
2782 <reported source="Adam Langley and Wolfgang Ettlinger"/>
2784 A flaw in the OpenSSL handling of CBC ciphersuites in TLS 1.1 and TLS 1.2 on
2785 AES-NI supporting platforms can be exploited in a DoS attack.
2789 <issue public="20130205">
2790 <cve name="2013-0166"/>
2791 <affects base="0.9.8" version="0.9.8"/>
2792 <affects base="0.9.8" version="0.9.8a"/>
2793 <affects base="0.9.8" version="0.9.8b"/>
2794 <affects base="0.9.8" version="0.9.8c"/>
2795 <affects base="0.9.8" version="0.9.8d"/>
2796 <affects base="0.9.8" version="0.9.8e"/>
2797 <affects base="0.9.8" version="0.9.8f"/>
2798 <affects base="0.9.8" version="0.9.8g"/>
2799 <affects base="0.9.8" version="0.9.8h"/>
2800 <affects base="0.9.8" version="0.9.8i"/>
2801 <affects base="0.9.8" version="0.9.8j"/>
2802 <affects base="0.9.8" version="0.9.8k"/>
2803 <affects base="0.9.8" version="0.9.8l"/>
2804 <affects base="0.9.8" version="0.9.8m"/>
2805 <affects base="0.9.8" version="0.9.8n"/>
2806 <affects base="0.9.8" version="0.9.8o"/>
2807 <affects base="0.9.8" version="0.9.8p"/>
2808 <affects base="0.9.8" version="0.9.8q"/>
2809 <affects base="0.9.8" version="0.9.8r"/>
2810 <affects base="0.9.8" version="0.9.8s"/>
2811 <affects base="0.9.8" version="0.9.8t"/>
2812 <affects base="0.9.8" version="0.9.8u"/>
2813 <affects base="0.9.8" version="0.9.8v"/>
2814 <affects base="0.9.8" version="0.9.8w"/>
2815 <affects base="0.9.8" version="0.9.8x"/>
2816 <affects base="1.0.0" version="1.0.0"/>
2817 <affects base="1.0.0" version="1.0.0a"/>
2818 <affects base="1.0.0" version="1.0.0b"/>
2819 <affects base="1.0.0" version="1.0.0c"/>
2820 <affects base="1.0.0" version="1.0.0d"/>
2821 <affects base="1.0.0" version="1.0.0e"/>
2822 <affects base="1.0.0" version="1.0.0f"/>
2823 <affects base="1.0.0" version="1.0.0g"/>
2824 <affects base="1.0.0" version="1.0.0i"/>
2825 <affects base="1.0.0" version="1.0.0j"/>
2826 <affects base="1.0.1" version="1.0.1"/>
2827 <affects base="1.0.1" version="1.0.1a"/>
2828 <affects base="1.0.1" version="1.0.1b"/>
2829 <affects base="1.0.1" version="1.0.1c"/>
2830 <fixed base="1.0.1" version="1.0.1d" date="20130205"/>
2831 <fixed base="1.0.0" version="1.0.0k" date="20130205"/>
2832 <fixed base="0.9.8" version="0.9.8y" date="20130205"/>
2833 <advisory url="http://www.openssl.org/news/secadv_20130205.txt"/>
2834 <reported source="Stephen Henson"/>
2836 A flaw in the OpenSSL handling of OCSP response verification can be exploited in
2837 a denial of service attack.
2841 <issue public="20131213">
2842 <cve name="2013-6450"/>
2843 <affects base="1.0.0" version="1.0.0"/>
2844 <affects base="1.0.0" version="1.0.0a"/>
2845 <affects base="1.0.0" version="1.0.0b"/>
2846 <affects base="1.0.0" version="1.0.0c"/>
2847 <affects base="1.0.0" version="1.0.0d"/>
2848 <affects base="1.0.0" version="1.0.0e"/>
2849 <affects base="1.0.0" version="1.0.0f"/>
2850 <affects base="1.0.0" version="1.0.0g"/>
2851 <affects base="1.0.0" version="1.0.0i"/>
2852 <affects base="1.0.0" version="1.0.0j"/>
2853 <affects base="1.0.0" version="1.0.0k"/>
2854 <affects base="1.0.1" version="1.0.1"/>
2855 <affects base="1.0.1" version="1.0.1a"/>
2856 <affects base="1.0.1" version="1.0.1b"/>
2857 <affects base="1.0.1" version="1.0.1c"/>
2858 <affects base="1.0.1" version="1.0.1d"/>
2859 <affects base="1.0.1" version="1.0.1e"/>
2860 <fixed base="1.0.1" version="1.0.1f" date="20140106">
2861 <git hash="3462896"/>
2863 <fixed base="1.0.0" version="1.0.0l" date="20140106"/>
2864 <reported source="Dmitry Sobinov"/>
2866 A flaw in DTLS handling can cause an application using OpenSSL and DTLS to crash.
2867 This is not a vulnerability for OpenSSL prior to 1.0.0.
2871 <issue public="20131214">
2872 <cve name="2013-6449"/>
2873 <affects base="1.0.1" version="1.0.1"/>
2874 <affects base="1.0.1" version="1.0.1a"/>
2875 <affects base="1.0.1" version="1.0.1b"/>
2876 <affects base="1.0.1" version="1.0.1c"/>
2877 <affects base="1.0.1" version="1.0.1d"/>
2878 <affects base="1.0.1" version="1.0.1e"/>
2879 <fixed base="1.0.1" version="1.0.1f" date="20140106">
2880 <git hash="ca98926"/>
2882 <reported source="Ron Barber"/>
2884 A flaw in OpenSSL can cause an application using OpenSSL to crash when using TLS version 1.2.
2885 This issue only affected OpenSSL 1.0.1 versions.
2889 <issue public="20140106">
2890 <cve name="2013-4353"/>
2891 <affects base="1.0.1" version="1.0.1"/>
2892 <affects base="1.0.1" version="1.0.1a"/>
2893 <affects base="1.0.1" version="1.0.1b"/>
2894 <affects base="1.0.1" version="1.0.1c"/>
2895 <affects base="1.0.1" version="1.0.1d"/>
2896 <affects base="1.0.1" version="1.0.1e"/>
2897 <fixed base="1.0.1" version="1.0.1f" date="20140106">
2898 <git hash="197e0ea817ad64820789d86711d55ff50d71f631"/>
2900 <reported source="Anton Johansson"/>
2902 A carefully crafted invalid TLS handshake could crash OpenSSL with a NULL pointer exception. A malicious
2903 server could use this flaw to crash a connecting client. This issue only affected OpenSSL 1.0.1 versions.
2907 <issue public="20140214">
2908 <cve name="2014-0076"/>
2909 <affects base="0.9.8" version="0.9.8"/>
2910 <affects base="0.9.8" version="0.9.8a"/>
2911 <affects base="0.9.8" version="0.9.8b"/>
2912 <affects base="0.9.8" version="0.9.8c"/>
2913 <affects base="0.9.8" version="0.9.8d"/>
2914 <affects base="0.9.8" version="0.9.8e"/>
2915 <affects base="0.9.8" version="0.9.8f"/>
2916 <affects base="0.9.8" version="0.9.8g"/>
2917 <affects base="0.9.8" version="0.9.8h"/>
2918 <affects base="0.9.8" version="0.9.8i"/>
2919 <affects base="0.9.8" version="0.9.8j"/>
2920 <affects base="0.9.8" version="0.9.8k"/>
2921 <affects base="0.9.8" version="0.9.8l"/>
2922 <affects base="0.9.8" version="0.9.8m"/>
2923 <affects base="0.9.8" version="0.9.8n"/>
2924 <affects base="0.9.8" version="0.9.8o"/>
2925 <affects base="0.9.8" version="0.9.8p"/>
2926 <affects base="0.9.8" version="0.9.8q"/>
2927 <affects base="0.9.8" version="0.9.8r"/>
2928 <affects base="0.9.8" version="0.9.8s"/>
2929 <affects base="0.9.8" version="0.9.8t"/>
2930 <affects base="0.9.8" version="0.9.8u"/>
2931 <affects base="0.9.8" version="0.9.8v"/>
2932 <affects base="0.9.8" version="0.9.8w"/>
2933 <affects base="0.9.8" version="0.9.8x"/>
2934 <affects base="0.9.8" version="0.9.8y"/>
2935 <affects base="1.0.0" version="1.0.0"/>
2936 <affects base="1.0.0" version="1.0.0a"/>
2937 <affects base="1.0.0" version="1.0.0b"/>
2938 <affects base="1.0.0" version="1.0.0c"/>
2939 <affects base="1.0.0" version="1.0.0d"/>
2940 <affects base="1.0.0" version="1.0.0e"/>
2941 <affects base="1.0.0" version="1.0.0f"/>
2942 <affects base="1.0.0" version="1.0.0g"/>
2943 <affects base="1.0.0" version="1.0.0i"/>
2944 <affects base="1.0.0" version="1.0.0j"/>
2945 <affects base="1.0.0" version="1.0.0k"/>
2946 <affects base="1.0.0" version="1.0.0l"/>
2947 <affects base="1.0.1" version="1.0.1"/>
2948 <affects base="1.0.1" version="1.0.1a"/>
2949 <affects base="1.0.1" version="1.0.1b"/>
2950 <affects base="1.0.1" version="1.0.1c"/>
2951 <affects base="1.0.1" version="1.0.1d"/>
2952 <affects base="1.0.1" version="1.0.1e"/>
2953 <affects base="1.0.1" version="1.0.1f"/>
2954 <fixed base="1.0.1" version="1.0.1g" date="20140409">
2955 <git hash="4b7a4ba29cafa432fc4266fe6e59e60bc1c96332"/>
2957 <fixed base="1.0.0" version="1.0.0m" date="20140312">
2958 <git hash="2198be3483259de374f91e57d247d0fc667aef29"/>
2960 <fixed base="0.9.8" version="0.9.8za" date="20140605">
2962 <reported source="Yuval Yarom and Naomi Benger"/>
2964 Fix for the attack described in the paper "Recovering OpenSSL
2965 ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
2969 <issue public="20140407">
2970 <cve name="2014-0160"/>
2971 <affects base="1.0.1" version="1.0.1"/>
2972 <affects base="1.0.1" version="1.0.1a"/>
2973 <affects base="1.0.1" version="1.0.1b"/>
2974 <affects base="1.0.1" version="1.0.1c"/>
2975 <affects base="1.0.1" version="1.0.1d"/>
2976 <affects base="1.0.1" version="1.0.1e"/>
2977 <affects base="1.0.1" version="1.0.1f"/>
2978 <fixed base="1.0.1" version="1.0.1g" date="20140409">
2980 <advisory url="http://www.openssl.org/news/secadv_20140407.txt"/>
2981 <reported source="Neel Mehta"/>
2983 A missing bounds check in the handling of the TLS heartbeat extension can be
2984 used to reveal up to 64kB of memory to a connected client or server (a.k.a. Heartbleed). This
2985 issue did not affect versions of OpenSSL prior to 1.0.1.
2989 <issue public="20140605">
2990 <cve name="2014-0224"/>
2991 <affects base="0.9.8" version="0.9.8"/>
2992 <affects base="0.9.8" version="0.9.8a"/>
2993 <affects base="0.9.8" version="0.9.8b"/>
2994 <affects base="0.9.8" version="0.9.8c"/>
2995 <affects base="0.9.8" version="0.9.8d"/>
2996 <affects base="0.9.8" version="0.9.8e"/>
2997 <affects base="0.9.8" version="0.9.8f"/>
2998 <affects base="0.9.8" version="0.9.8g"/>
2999 <affects base="0.9.8" version="0.9.8h"/>
3000 <affects base="0.9.8" version="0.9.8i"/>
3001 <affects base="0.9.8" version="0.9.8j"/>
3002 <affects base="0.9.8" version="0.9.8k"/>
3003 <affects base="0.9.8" version="0.9.8l"/>
3004 <affects base="0.9.8" version="0.9.8m"/>
3005 <affects base="0.9.8" version="0.9.8n"/>
3006 <affects base="0.9.8" version="0.9.8o"/>
3007 <affects base="0.9.8" version="0.9.8p"/>
3008 <affects base="0.9.8" version="0.9.8q"/>
3009 <affects base="0.9.8" version="0.9.8r"/>
3010 <affects base="0.9.8" version="0.9.8s"/>
3011 <affects base="0.9.8" version="0.9.8t"/>
3012 <affects base="0.9.8" version="0.9.8u"/>
3013 <affects base="0.9.8" version="0.9.8v"/>
3014 <affects base="0.9.8" version="0.9.8w"/>
3015 <affects base="0.9.8" version="0.9.8x"/>
3016 <affects base="0.9.8" version="0.9.8y"/>
3017 <affects base="1.0.0" version="1.0.0"/>
3018 <affects base="1.0.0" version="1.0.0a"/>
3019 <affects base="1.0.0" version="1.0.0b"/>
3020 <affects base="1.0.0" version="1.0.0c"/>
3021 <affects base="1.0.0" version="1.0.0d"/>
3022 <affects base="1.0.0" version="1.0.0e"/>
3023 <affects base="1.0.0" version="1.0.0f"/>
3024 <affects base="1.0.0" version="1.0.0g"/>
3025 <affects base="1.0.0" version="1.0.0i"/>
3026 <affects base="1.0.0" version="1.0.0j"/>
3027 <affects base="1.0.0" version="1.0.0k"/>
3028 <affects base="1.0.0" version="1.0.0l"/>
3029 <affects base="1.0.1" version="1.0.1"/>
3030 <affects base="1.0.1" version="1.0.1a"/>
3031 <affects base="1.0.1" version="1.0.1b"/>
3032 <affects base="1.0.1" version="1.0.1c"/>
3033 <affects base="1.0.1" version="1.0.1d"/>
3034 <affects base="1.0.1" version="1.0.1e"/>
3035 <affects base="1.0.1" version="1.0.1f"/>
3036 <affects base="1.0.1" version="1.0.1g"/>
3037 <fixed base="1.0.1" version="1.0.1h" date="20140605">
3039 <fixed base="1.0.0" version="1.0.0m" date="20140605">
3041 <fixed base="0.9.8" version="0.9.8za" date="20140605">
3044 An attacker can force the use of weak
3045 keying material in OpenSSL SSL/TLS clients and servers. This can be exploited
3046 by a Man-in-the-middle (MITM) attack where the attacker can decrypt and
3047 modify traffic from the attacked client and server.
3049 <advisory url="http://www.openssl.org/news/secadv_20140605.txt"/>
3050 <reported source="KIKUCHI Masashi (Lepidum Co. Ltd.)"/>
3053 <issue public="20140605">
3054 <cve name="2014-0221"/>
3055 <affects base="0.9.8" version="0.9.8"/>
3056 <affects base="0.9.8" version="0.9.8a"/>
3057 <affects base="0.9.8" version="0.9.8b"/>
3058 <affects base="0.9.8" version="0.9.8c"/>
3059 <affects base="0.9.8" version="0.9.8d"/>
3060 <affects base="0.9.8" version="0.9.8e"/>
3061 <affects base="0.9.8" version="0.9.8f"/>
3062 <affects base="0.9.8" version="0.9.8g"/>
3063 <affects base="0.9.8" version="0.9.8h"/>
3064 <affects base="0.9.8" version="0.9.8i"/>
3065 <affects base="0.9.8" version="0.9.8j"/>
3066 <affects base="0.9.8" version="0.9.8k"/>
3067 <affects base="0.9.8" version="0.9.8l"/>
3068 <affects base="0.9.8" version="0.9.8m"/>
3069 <affects base="0.9.8" version="0.9.8n"/>
3070 <affects base="0.9.8" version="0.9.8o"/>
3071 <affects base="0.9.8" version="0.9.8p"/>
3072 <affects base="0.9.8" version="0.9.8q"/>
3073 <affects base="0.9.8" version="0.9.8r"/>
3074 <affects base="0.9.8" version="0.9.8s"/>
3075 <affects base="0.9.8" version="0.9.8t"/>
3076 <affects base="0.9.8" version="0.9.8u"/>
3077 <affects base="0.9.8" version="0.9.8v"/>
3078 <affects base="0.9.8" version="0.9.8w"/>
3079 <affects base="0.9.8" version="0.9.8x"/>
3080 <affects base="0.9.8" version="0.9.8y"/>
3081 <affects base="1.0.0" version="1.0.0"/>
3082 <affects base="1.0.0" version="1.0.0a"/>
3083 <affects base="1.0.0" version="1.0.0b"/>
3084 <affects base="1.0.0" version="1.0.0c"/>
3085 <affects base="1.0.0" version="1.0.0d"/>
3086 <affects base="1.0.0" version="1.0.0e"/>
3087 <affects base="1.0.0" version="1.0.0f"/>
3088 <affects base="1.0.0" version="1.0.0g"/>
3089 <affects base="1.0.0" version="1.0.0i"/>
3090 <affects base="1.0.0" version="1.0.0j"/>
3091 <affects base="1.0.0" version="1.0.0k"/>
3092 <affects base="1.0.0" version="1.0.0l"/>
3093 <affects base="1.0.1" version="1.0.1"/>
3094 <affects base="1.0.1" version="1.0.1a"/>
3095 <affects base="1.0.1" version="1.0.1b"/>
3096 <affects base="1.0.1" version="1.0.1c"/>
3097 <affects base="1.0.1" version="1.0.1d"/>
3098 <affects base="1.0.1" version="1.0.1e"/>
3099 <affects base="1.0.1" version="1.0.1f"/>
3100 <affects base="1.0.1" version="1.0.1g"/>
3101 <fixed base="1.0.1" version="1.0.1h" date="20140605">
3103 <fixed base="1.0.0" version="1.0.0m" date="20140605">
3105 <fixed base="0.9.8" version="0.9.8za" date="20140605">
3107 <description>By sending an invalid DTLS handshake to an OpenSSL DTLS client the code can be made to recurse eventually crashing in a DoS attack. Only applications using OpenSSL as a DTLS client are affected.</description>
3108 <advisory url="http://www.openssl.org/news/secadv_20140605.txt"/>
3109 <reported source="Imre Rad (Search-Lab Ltd.)"/>
3112 <issue public="20140605">
3113 <cve name="2014-0195"/>
3114 <affects base="0.9.8" version="0.9.8o"/>
3115 <affects base="0.9.8" version="0.9.8p"/>
3116 <affects base="0.9.8" version="0.9.8q"/>
3117 <affects base="0.9.8" version="0.9.8r"/>
3118 <affects base="0.9.8" version="0.9.8s"/>
3119 <affects base="0.9.8" version="0.9.8t"/>
3120 <affects base="0.9.8" version="0.9.8u"/>
3121 <affects base="0.9.8" version="0.9.8v"/>
3122 <affects base="0.9.8" version="0.9.8w"/>
3123 <affects base="0.9.8" version="0.9.8x"/>
3124 <affects base="0.9.8" version="0.9.8y"/>
3125 <affects base="1.0.0" version="1.0.0"/>
3126 <affects base="1.0.0" version="1.0.0a"/>
3127 <affects base="1.0.0" version="1.0.0b"/>
3128 <affects base="1.0.0" version="1.0.0c"/>
3129 <affects base="1.0.0" version="1.0.0d"/>
3130 <affects base="1.0.0" version="1.0.0e"/>
3131 <affects base="1.0.0" version="1.0.0f"/>
3132 <affects base="1.0.0" version="1.0.0g"/>
3133 <affects base="1.0.0" version="1.0.0i"/>
3134 <affects base="1.0.0" version="1.0.0j"/>
3135 <affects base="1.0.0" version="1.0.0k"/>
3136 <affects base="1.0.0" version="1.0.0l"/>
3137 <affects base="1.0.1" version="1.0.1"/>
3138 <affects base="1.0.1" version="1.0.1a"/>
3139 <affects base="1.0.1" version="1.0.1b"/>
3140 <affects base="1.0.1" version="1.0.1c"/>
3141 <affects base="1.0.1" version="1.0.1d"/>
3142 <affects base="1.0.1" version="1.0.1e"/>
3143 <affects base="1.0.1" version="1.0.1f"/>
3144 <affects base="1.0.1" version="1.0.1g"/>
3145 <fixed base="1.0.1" version="1.0.1h" date="20140605">
3147 <fixed base="1.0.0" version="1.0.0m" date="20140605">
3149 <fixed base="0.9.8" version="0.9.8za" date="20140605">
3151 <description>A buffer overrun attack can be triggered by sending invalid DTLS fragments
3152 to an OpenSSL DTLS client or server. This is potentially exploitable to
3153 run arbitrary code on a vulnerable client or server. Only applications using OpenSSL as a DTLS client or server affected.
3155 <advisory url="http://www.openssl.org/news/secadv_20140605.txt"/>
3156 <reported source="Jüri Aedla"/>
3159 <issue public="20140421">
3160 <cve name="2014-0198"/>
3161 <affects base="1.0.0" version="1.0.0"/>
3162 <affects base="1.0.0" version="1.0.0a"/>
3163 <affects base="1.0.0" version="1.0.0b"/>
3164 <affects base="1.0.0" version="1.0.0c"/>
3165 <affects base="1.0.0" version="1.0.0d"/>
3166 <affects base="1.0.0" version="1.0.0e"/>
3167 <affects base="1.0.0" version="1.0.0f"/>
3168 <affects base="1.0.0" version="1.0.0g"/>
3169 <affects base="1.0.0" version="1.0.0i"/>
3170 <affects base="1.0.0" version="1.0.0j"/>
3171 <affects base="1.0.0" version="1.0.0k"/>
3172 <affects base="1.0.0" version="1.0.0l"/>
3173 <affects base="1.0.1" version="1.0.1"/>
3174 <affects base="1.0.1" version="1.0.1a"/>
3175 <affects base="1.0.1" version="1.0.1b"/>
3176 <affects base="1.0.1" version="1.0.1c"/>
3177 <affects base="1.0.1" version="1.0.1d"/>
3178 <affects base="1.0.1" version="1.0.1e"/>
3179 <affects base="1.0.1" version="1.0.1f"/>
3180 <affects base="1.0.1" version="1.0.1g"/>
3181 <fixed base="1.0.1" version="1.0.1h" date="20140605">
3183 <fixed base="1.0.0" version="1.0.0m" date="20140605">
3185 <description>A flaw in the do_ssl3_write function can allow remote attackers to
3186 cause a denial of service via a NULL pointer dereference. This flaw
3187 only affects OpenSSL 1.0.0 and 1.0.1 where SSL_MODE_RELEASE_BUFFERS is
3188 enabled, which is not the default and not common.</description>
3189 <advisory url="http://www.openssl.org/news/secadv_20140605.txt"/>
3192 <issue public="20140408">
3193 <cve name="2010-5298"/>
3194 <affects base="1.0.0" version="1.0.0"/>
3195 <affects base="1.0.0" version="1.0.0a"/>
3196 <affects base="1.0.0" version="1.0.0b"/>
3197 <affects base="1.0.0" version="1.0.0c"/>
3198 <affects base="1.0.0" version="1.0.0d"/>
3199 <affects base="1.0.0" version="1.0.0e"/>
3200 <affects base="1.0.0" version="1.0.0f"/>
3201 <affects base="1.0.0" version="1.0.0g"/>
3202 <affects base="1.0.0" version="1.0.0i"/>
3203 <affects base="1.0.0" version="1.0.0j"/>
3204 <affects base="1.0.0" version="1.0.0k"/>
3205 <affects base="1.0.0" version="1.0.0l"/>
3206 <affects base="1.0.1" version="1.0.1"/>
3207 <affects base="1.0.1" version="1.0.1a"/>
3208 <affects base="1.0.1" version="1.0.1b"/>
3209 <affects base="1.0.1" version="1.0.1c"/>
3210 <affects base="1.0.1" version="1.0.1d"/>
3211 <affects base="1.0.1" version="1.0.1e"/>
3212 <affects base="1.0.1" version="1.0.1f"/>
3213 <affects base="1.0.1" version="1.0.1g"/>
3214 <fixed base="1.0.1" version="1.0.1h" date="20140605">
3216 <fixed base="1.0.0" version="1.0.0m" date="20140605">
3218 <description>A race condition in the ssl3_read_bytes function can allow remote
3219 attackers to inject data across sessions or cause a denial of service.
3220 This flaw only affects multithreaded applications using OpenSSL 1.0.0
3221 and 1.0.1, where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the
3222 default and not common.</description>
3223 <advisory url="http://www.openssl.org/news/secadv_20140605.txt"/>
3226 <issue public="20140530">
3227 <cve name="2014-3470"/>
3228 <affects base="0.9.8" version="0.9.8"/>
3229 <affects base="0.9.8" version="0.9.8a"/>
3230 <affects base="0.9.8" version="0.9.8b"/>
3231 <affects base="0.9.8" version="0.9.8c"/>
3232 <affects base="0.9.8" version="0.9.8d"/>
3233 <affects base="0.9.8" version="0.9.8e"/>
3234 <affects base="0.9.8" version="0.9.8f"/>
3235 <affects base="0.9.8" version="0.9.8g"/>
3236 <affects base="0.9.8" version="0.9.8h"/>
3237 <affects base="0.9.8" version="0.9.8i"/>
3238 <affects base="0.9.8" version="0.9.8j"/>
3239 <affects base="0.9.8" version="0.9.8k"/>
3240 <affects base="0.9.8" version="0.9.8l"/>
3241 <affects base="0.9.8" version="0.9.8m"/>
3242 <affects base="0.9.8" version="0.9.8n"/>
3243 <affects base="0.9.8" version="0.9.8o"/>
3244 <affects base="0.9.8" version="0.9.8p"/>
3245 <affects base="0.9.8" version="0.9.8q"/>
3246 <affects base="0.9.8" version="0.9.8r"/>
3247 <affects base="0.9.8" version="0.9.8s"/>
3248 <affects base="0.9.8" version="0.9.8t"/>
3249 <affects base="0.9.8" version="0.9.8u"/>
3250 <affects base="0.9.8" version="0.9.8v"/>
3251 <affects base="0.9.8" version="0.9.8w"/>
3252 <affects base="0.9.8" version="0.9.8x"/>
3253 <affects base="0.9.8" version="0.9.8y"/>
3254 <affects base="1.0.0" version="1.0.0"/>
3255 <affects base="1.0.0" version="1.0.0a"/>
3256 <affects base="1.0.0" version="1.0.0b"/>
3257 <affects base="1.0.0" version="1.0.0c"/>
3258 <affects base="1.0.0" version="1.0.0d"/>
3259 <affects base="1.0.0" version="1.0.0e"/>
3260 <affects base="1.0.0" version="1.0.0f"/>
3261 <affects base="1.0.0" version="1.0.0g"/>
3262 <affects base="1.0.0" version="1.0.0i"/>
3263 <affects base="1.0.0" version="1.0.0j"/>
3264 <affects base="1.0.0" version="1.0.0k"/>
3265 <affects base="1.0.0" version="1.0.0l"/>
3266 <affects base="1.0.1" version="1.0.1"/>
3267 <affects base="1.0.1" version="1.0.1a"/>
3268 <affects base="1.0.1" version="1.0.1b"/>
3269 <affects base="1.0.1" version="1.0.1c"/>
3270 <affects base="1.0.1" version="1.0.1d"/>
3271 <affects base="1.0.1" version="1.0.1e"/>
3272 <affects base="1.0.1" version="1.0.1f"/>
3273 <affects base="1.0.1" version="1.0.1g"/>
3274 <fixed base="1.0.1" version="1.0.1h" date="20140605">
3276 <fixed base="1.0.0" version="1.0.0m" date="20140605">
3278 <fixed base="0.9.8" version="0.9.8za" date="20140605">
3280 <description>OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a
3281 denial of service attack.</description>
3282 <reported source="Felix Gröbert and Ivan Fratrić (Google)"/>
3283 <advisory url="http://www.openssl.org/news/secadv_20140605.txt"/>