1.0.0 on 20100329
-->
-<security updated="20160922">
+<!-- The updated attribute should be the same as the first public issue,
+ unless an old entry was updated. -->
+<security updated="20171102">
+ <issue public="20171207">
+ <impact severity="Moderate"/>
+ <cve name="2017-3737"/>
+ <affects base="1.0.2" version="1.0.2b"/>
+ <affects base="1.0.2" version="1.0.2c"/>
+ <affects base="1.0.2" version="1.0.2d"/>
+ <affects base="1.0.2" version="1.0.2e"/>
+ <affects base="1.0.2" version="1.0.2f"/>
+ <affects base="1.0.2" version="1.0.2g"/>
+ <affects base="1.0.2" version="1.0.2h"/>
+ <affects base="1.0.2" version="1.0.2i"/>
+ <affects base="1.0.2" version="1.0.2j"/>
+ <affects base="1.0.2" version="1.0.2k"/>
+ <affects base="1.0.2" version="1.0.2l"/>
+ <affects base="1.0.2" version="1.0.2m"/>
+ <fixed base="1.0.2" version="1.0.2n" date="20171207"/>
+ <problemtype>Unauthenticated read/unencrypted write</problemtype>
+ <title>Read/write after SSL object in error state</title>
+ <description>
+ OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state"
+ mechanism. The intent was that if a fatal error occurred during a handshake then
+ OpenSSL would move into the error state and would immediately fail if you
+ attempted to continue the handshake. This works as designed for the explicit
+ handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()),
+ however due to a bug it does not work correctly if SSL_read() or SSL_write() is
+ called directly. In that scenario, if the handshake fails then a fatal error
+ will be returned in the initial function call. If SSL_read()/SSL_write() is
+ subsequently called by the application for the same SSL object then it will
+ succeed and the data is passed without being decrypted/encrypted directly from
+ the SSL/TLS record layer.
+
+ In order to exploit this issue an application bug would have to be present that
+ resulted in a call to SSL_read()/SSL_write() being issued after having already
+ received a fatal error.
+ </description>
+ <advisory url="/news/secadv/20171207.txt"/>
+ <reported source="David Benjamin (Google)"/>
+ </issue>
+ <issue public="20171207">
+ <impact severity="Low"/>
+ <cve name="2017-3738"/>
+ <affects base="1.1.0" version="1.1.0"/>
+ <affects base="1.1.0" version="1.1.0a"/>
+ <affects base="1.1.0" version="1.1.0b"/>
+ <affects base="1.1.0" version="1.1.0c"/>
+ <affects base="1.1.0" version="1.1.0d"/>
+ <affects base="1.1.0" version="1.1.0e"/>
+ <affects base="1.1.0" version="1.1.0f"/>
+ <affects base="1.1.0" version="1.1.0g"/>
+ <affects base="1.0.2" version="1.0.2"/>
+ <affects base="1.0.2" version="1.0.2a"/>
+ <affects base="1.0.2" version="1.0.2b"/>
+ <affects base="1.0.2" version="1.0.2c"/>
+ <affects base="1.0.2" version="1.0.2d"/>
+ <affects base="1.0.2" version="1.0.2e"/>
+ <affects base="1.0.2" version="1.0.2f"/>
+ <affects base="1.0.2" version="1.0.2g"/>
+ <affects base="1.0.2" version="1.0.2h"/>
+ <affects base="1.0.2" version="1.0.2i"/>
+ <affects base="1.0.2" version="1.0.2j"/>
+ <affects base="1.0.2" version="1.0.2k"/>
+ <affects base="1.0.2" version="1.0.2l"/>
+ <affects base="1.0.2" version="1.0.2m"/>
+ <fixed base="1.0.2" version="1.0.2n" date="20171207"/>
+ <fixed base="1.1.0" version="1.1.0h-dev" date="20171207"/>
+ <problemtype>carry-propagating bug</problemtype>
+ <title>bn_sqrx8x_internal carry bug on x86_64</title>
+ <description>
+ There is an overflow bug in the AVX2 Montgomery multiplication procedure
+ used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
+ Analysis suggests that attacks against RSA and DSA as a result of this defect
+ would be very difficult to perform and are not believed likely. Attacks
+ against DH1024 are considered just feasible, because most of the work
+ necessary to deduce information about a private key may be performed offline.
+ The amount of resources required for such an attack would be significant.
+ However, for an attack on TLS to be meaningful, the server would have to share
+ the DH1024 private key among multiple clients, which is no longer an option
+ since CVE-2016-0701.
+
+ This only affects processors that support the AVX2 but not ADX extensions
+ like Intel Haswell (4th generation).
+
+ Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732
+ and CVE-2015-3193.
+
+ Due to the low severity of this issue we are not issuing a new release of
+ OpenSSL 1.1.0 at this time. The fix will be included in OpenSSL 1.1.0h when it
+ becomes available. The fix is also available in commit e502cc86d in the OpenSSL
+ git repository.
+ </description>
+ <advisory url="/news/secadv/20171207.txt"/>
+ <reported source="David Benjamin (Google)/Google OSS-Fuzz"/>
+ </issue>
+ <issue public="20171102">
+ <impact severity="Moderate"/>
+ <cve name="2017-3736"/>
+ <affects base="1.1.0" version="1.1.0"/>
+ <affects base="1.1.0" version="1.1.0a"/>
+ <affects base="1.1.0" version="1.1.0b"/>
+ <affects base="1.1.0" version="1.1.0c"/>
+ <affects base="1.1.0" version="1.1.0d"/>
+ <affects base="1.1.0" version="1.1.0e"/>
+ <affects base="1.1.0" version="1.1.0f"/>
+ <affects base="1.0.2" version="1.0.2"/>
+ <affects base="1.0.2" version="1.0.2a"/>
+ <affects base="1.0.2" version="1.0.2b"/>
+ <affects base="1.0.2" version="1.0.2c"/>
+ <affects base="1.0.2" version="1.0.2d"/>
+ <affects base="1.0.2" version="1.0.2e"/>
+ <affects base="1.0.2" version="1.0.2f"/>
+ <affects base="1.0.2" version="1.0.2g"/>
+ <affects base="1.0.2" version="1.0.2h"/>
+ <affects base="1.0.2" version="1.0.2i"/>
+ <affects base="1.0.2" version="1.0.2j"/>
+ <affects base="1.0.2" version="1.0.2k"/>
+ <affects base="1.0.2" version="1.0.2l"/>
+ <fixed base="1.0.2" version="1.0.2m" date="20171102"/>
+ <fixed base="1.1.0" version="1.1.0g" date="20171102"/>
+ <problemtype>carry-propagating bug</problemtype>
+ <title>bn_sqrx8x_internal carry bug on x86_64</title>
+ <description>
+ There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No
+ EC algorithms are affected. Analysis suggests that attacks against RSA and DSA
+ as a result of this defect would be very difficult to perform and are not
+ believed likely. Attacks against DH are considered just feasible (although very
+ difficult) because most of the work necessary to deduce information
+ about a private key may be performed offline. The amount of resources
+ required for such an attack would be very significant and likely only
+ accessible to a limited number of attackers. An attacker would
+ additionally need online access to an unpatched system using the target
+ private key in a scenario with persistent DH parameters and a private
+ key that is shared between multiple clients.
+
+ This only affects processors that support the BMI1, BMI2 and ADX extensions like
+ Intel Broadwell (5th generation) and later or AMD Ryzen.
+ </description>
+ <advisory url="/news/secadv/20171102.txt"/>
+ <reported source="Google OSS-Fuzz"/>
+ </issue>
+ <issue public="20170828">
+ <impact severity="Low"/>
+ <cve name="2017-3735"/>
+ <affects base="1.1.0" version="1.1.0"/>
+ <affects base="1.1.0" version="1.1.0a"/>
+ <affects base="1.1.0" version="1.1.0b"/>
+ <affects base="1.1.0" version="1.1.0c"/>
+ <affects base="1.1.0" version="1.1.0d"/>
+ <affects base="1.1.0" version="1.1.0e"/>
+ <affects base="1.1.0" version="1.1.0f"/>
+ <affects base="1.0.2" version="1.0.2"/>
+ <affects base="1.0.2" version="1.0.2a"/>
+ <affects base="1.0.2" version="1.0.2b"/>
+ <affects base="1.0.2" version="1.0.2c"/>
+ <affects base="1.0.2" version="1.0.2d"/>
+ <affects base="1.0.2" version="1.0.2e"/>
+ <affects base="1.0.2" version="1.0.2f"/>
+ <affects base="1.0.2" version="1.0.2g"/>
+ <affects base="1.0.2" version="1.0.2h"/>
+ <affects base="1.0.2" version="1.0.2i"/>
+ <affects base="1.0.2" version="1.0.2j"/>
+ <affects base="1.0.2" version="1.0.2k"/>
+ <affects base="1.0.2" version="1.0.2l"/>
+ <fixed base="1.0.2" version="1.0.2m" date="20171102"/>
+ <fixed base="1.1.0" version="1.1.0g" date="20171102"/>
+ <problemtype>out-of-bounds read</problemtype>
+ <title>Possible Overread in parsing X.509 IPAdressFamily</title>
+ <description>
+ While parsing an IPAdressFamily extension in an X.509 certificate,
+ it is possible to do a one-byte overread. This would result in
+ an incorrect text display of the certificate.
+ </description>
+ <advisory url="/news/secadv/20170828.txt"/>
+ <reported source="Google OSS-Fuzz"/>
+ </issue>
+ <issue public="20170216">
+ <impact severity="High"/>
+ <cve name="2017-3733"/>
+ <affects base="1.1.0" version="1.1.0"/>
+ <affects base="1.1.0" version="1.1.0a"/>
+ <affects base="1.1.0" version="1.1.0b"/>
+ <affects base="1.1.0" version="1.1.0c"/>
+ <affects base="1.1.0" version="1.1.0d"/>
+ <fixed base="1.1.0" version="1.1.0e" date="20170216"/>
+ <problemtype>protocol error</problemtype>
+ <title>Encrypt-Then-Mac renegotiation crash</title>
+ <description>
+ During a renegotiation handshake if the Encrypt-Then-Mac extension is
+ negotiated where it was not in the original handshake (or vice-versa) then
+ this can cause OpenSSL to crash (dependent on ciphersuite). Both clients
+ and servers are affected.
+ </description>
+ <advisory url="/news/secadv/20170216.txt"/>
+ <reported source="Joe Orton (Red Hat)" />
+ </issue>
+ <issue public="20170126">
+ <impact severity="Moderate"/>
+ <cve name="2017-3731"/>
+ <affects base="1.1.0" version="1.1.0"/>
+ <affects base="1.1.0" version="1.1.0a"/>
+ <affects base="1.1.0" version="1.1.0b"/>
+ <affects base="1.1.0" version="1.1.0c"/>
+ <affects base="1.0.2" version="1.0.2"/>
+ <affects base="1.0.2" version="1.0.2a"/>
+ <affects base="1.0.2" version="1.0.2b"/>
+ <affects base="1.0.2" version="1.0.2c"/>
+ <affects base="1.0.2" version="1.0.2d"/>
+ <affects base="1.0.2" version="1.0.2e"/>
+ <affects base="1.0.2" version="1.0.2f"/>
+ <affects base="1.0.2" version="1.0.2g"/>
+ <affects base="1.0.2" version="1.0.2h"/>
+ <affects base="1.0.2" version="1.0.2i"/>
+ <affects base="1.0.2" version="1.0.2j"/>
+ <fixed base="1.1.0" version="1.1.0d" date="20170126"/>
+ <fixed base="1.0.2" version="1.0.2k" date="20170126"/>
+ <problemtype>out-of-bounds read</problemtype>
+ <title>Truncated packet could crash via OOB read</title>
+ <description>
+ If an SSL/TLS server or client is running on a 32-bit host, and a specific
+ cipher is being used, then a truncated packet can cause that server or
+ client to perform an out-of-bounds read, usually resulting in a crash.
+
+ For OpenSSL 1.1.0, the crash can be triggered when using
+ CHACHA20/POLY1305; users should upgrade to 1.1.0d.
+
+ For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users
+ who have not disabled that algorithm should update to 1.0.2k
+ </description>
+ <advisory url="/news/secadv/20170126.txt"/>
+ <reported source="Robert Święcki of Google" />
+ </issue>
+ <issue public="20170126">
+ <impact severity="Moderate"/>
+ <cve name="2017-3730"/>
+ <affects base="1.1.0" version="1.1.0"/>
+ <affects base="1.1.0" version="1.1.0a"/>
+ <affects base="1.1.0" version="1.1.0b"/>
+ <affects base="1.1.0" version="1.1.0c"/>
+ <fixed base="1.1.0" version="1.1.0d" date="20170126"/>
+ <problemtype>NULL pointer deference</problemtype>
+ <title>Bad (EC)DHE parameters cause a client crash</title>
+ <description>
+ If a malicious server supplies bad parameters for a DHE or ECDHE key
+ exchange then this can result in the client attempting to dereference a
+ NULL pointer leading to a client crash. This could be exploited in a
+ Denial of Service attack.
+ </description>
+ <advisory url="/news/secadv/20170126.txt"/>
+ <reported source="Guido Vranken" />
+ </issue>
+ <issue public="20170126">
+ <impact severity="Moderate"/>
+ <cve name="2017-3732"/>
+ <affects base="1.1.0" version="1.1.0"/>
+ <affects base="1.1.0" version="1.1.0a"/>
+ <affects base="1.1.0" version="1.1.0b"/>
+ <affects base="1.1.0" version="1.1.0c"/>
+ <affects base="1.0.2" version="1.0.2"/>
+ <affects base="1.0.2" version="1.0.2a"/>
+ <affects base="1.0.2" version="1.0.2b"/>
+ <affects base="1.0.2" version="1.0.2c"/>
+ <affects base="1.0.2" version="1.0.2d"/>
+ <affects base="1.0.2" version="1.0.2e"/>
+ <affects base="1.0.2" version="1.0.2f"/>
+ <affects base="1.0.2" version="1.0.2g"/>
+ <affects base="1.0.2" version="1.0.2h"/>
+ <affects base="1.0.2" version="1.0.2i"/>
+ <affects base="1.0.2" version="1.0.2j"/>
+ <fixed base="1.1.0" version="1.1.0d" date="20170126"/>
+ <fixed base="1.0.2" version="1.0.2k" date="20170126"/>
+ <problemtype>carry-propagating bug</problemtype>
+ <title>BN_mod_exp may produce incorrect results on x86_64</title>
+ <description>
+ There is a carry propagating bug in the x86_64 Montgomery squaring
+ procedure. No EC algorithms are affected. Analysis suggests that attacks
+ against RSA and DSA as a result of this defect would be very difficult to
+ perform and are not believed likely. Attacks against DH are considered
+ just feasible (although very difficult) because most of the work necessary
+ to deduce information about a private key may be performed offline. The
+ amount of resources required for such an attack would be very significant
+ and likely only accessible to a limited number of attackers. An attacker
+ would additionally need online access to an unpatched system using the
+ target private key in a scenario with persistent DH parameters and a
+ private key that is shared between multiple clients. For example this can
+ occur by default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This
+ issue is very similar to CVE-2015-3193 but must be treated as a separate
+ problem.
+ </description>
+ <advisory url="/news/secadv/20170126.txt"/>
+ <reported source="OSS-Fuzz project" />
+ </issue>
+ <issue public="20161110">
+ <impact severity="High"/>
+ <cve name="2016-7054"/>
+ <affects base="1.1.0" version="1.1.0"/>
+ <affects base="1.1.0" version="1.1.0a"/>
+ <affects base="1.1.0" version="1.1.0b"/>
+ <fixed base="1.1.0" version="1.1.0c" date="20161110"/>
+ <problemtype>protocol error</problemtype>
+ <title>ChaCha20/Poly1305 heap-buffer-overflow</title>
+ <description>
+ TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to
+ a DoS attack by corrupting larger payloads. This can result in an OpenSSL
+ crash. This issue is not considered to be exploitable beyond a DoS.
+ </description>
+ <advisory url="/news/secadv/20161110.txt"/>
+ <reported source="Robert Święcki (Google Security Team)" date="20160925"/>
+ </issue>
+ <issue public="20161110">
+ <impact severity="Moderate"/>
+ <cve name="2016-7053"/>
+ <affects base="1.1.0" version="1.1.0"/>
+ <affects base="1.1.0" version="1.1.0a"/>
+ <affects base="1.1.0" version="1.1.0b"/>
+ <fixed base="1.1.0" version="1.1.0c" date="20161110"/>
+ <problemtype>NULL pointer deference</problemtype>
+ <title>CMS Null dereference</title>
+ <description>
+ Applications parsing invalid CMS structures can crash with a NULL pointer
+ dereference. This is caused by a bug in the handling of the ASN.1 CHOICE
+ type in OpenSSL 1.1.0 which can result in a NULL value being passed to the
+ structure callback if an attempt is made to free certain invalid
+ encodings. Only CHOICE structures using a callback which do not handle
+ NULL value are affected.
+ </description>
+ <advisory url="/news/secadv/20161110.txt"/>
+ <reported source="Tyler Nighswander (ForAllSecure)" date="20161012"/>
+ </issue>
+ <issue public="20161110">
+ <impact severity="Low"/>
+ <cve name="2016-7055"/>
+ <affects base="1.1.0" version="1.1.0"/>
+ <affects base="1.1.0" version="1.1.0a"/>
+ <affects base="1.1.0" version="1.1.0b"/>
+ <affects base="1.0.2" version="1.0.2"/>
+ <affects base="1.0.2" version="1.0.2a"/>
+ <affects base="1.0.2" version="1.0.2b"/>
+ <affects base="1.0.2" version="1.0.2c"/>
+ <affects base="1.0.2" version="1.0.2d"/>
+ <affects base="1.0.2" version="1.0.2e"/>
+ <affects base="1.0.2" version="1.0.2f"/>
+ <affects base="1.0.2" version="1.0.2g"/>
+ <affects base="1.0.2" version="1.0.2h"/>
+ <affects base="1.0.2" version="1.0.2i"/>
+ <affects base="1.0.2" version="1.0.2j"/>
+ <fixed base="1.1.0" version="1.1.0c" date="20161110"/>
+ <fixed base="1.0.2" version="1.0.2k" date="20170126"/>
+ <problemtype>carry propagating bug</problemtype>
+ <title>Montgomery multiplication may produce incorrect results</title>
+ <description>
+ There is a carry propagating bug in the Broadwell-specific Montgomery
+ multiplication procedure that handles input lengths divisible by, but
+ longer than 256 bits. Analysis suggests that attacks against RSA, DSA
+ and DH private keys are impossible. This is because the subroutine in
+ question is not used in operations with the private key itself and an
+ input of the attacker's direct choice. Otherwise the bug can manifest
+ itself as transient authentication and key negotiation failures or
+ reproducible erroneous outcome of public-key operations with specially
+ crafted input. Among EC algorithms only Brainpool P-512 curves are
+ affected and one presumably can attack ECDH key negotiation. Impact was
+ not analyzed in detail, because pre-requisites for attack are considered
+ unlikely. Namely multiple clients have to choose the curve in question and
+ the server has to share the private key among them, neither of which is
+ default behaviour. Even then only clients that chose the curve will be
+ affected.
+ </description>
+ <advisory url="/news/secadv/20161110.txt"/>
+ <reported source="Publicly reported" />
+ </issue>
+ <issue public="20160926">
+ <impact severity="Critical"/>
+ <cve name="2016-6309"/>
+ <affects base="1.1.0" version="1.1.0a"/>
+ <fixed base="1.1.0" version="1.1.0b" date="20160926"/>
+
+ <problemtype>write to free</problemtype>
+ <description>
+ This issue only affects OpenSSL 1.1.0a, released on 22nd September 2016.
+
+ The patch applied to address CVE-2016-6307 resulted in an issue where if a
+ message larger than approx 16k is received then the underlying buffer to store
+ the incoming message is reallocated and moved. Unfortunately a dangling pointer
+ to the old location is left which results in an attempt to write to the
+ previously freed location. This is likely to result in a crash, however it
+ could potentially lead to execution of arbitrary code.
+ </description>
+ <advisory url="/news/secadv/20160926.txt"/>
+ <reported source="Robert Święcki (Google Security Team)" date="20160923"/>
+ </issue>
+ <issue public="20160926">
+ <impact severity="Moderate"/>
+ <cve name="2016-7052"/>
+ <affects base="1.0.2" version="1.0.2i"/>
+ <fixed base="1.0.2" version="1.0.2j" date="20160926"/>
+
+ <problemtype>NULL pointer exception</problemtype>
+ <description>
+ This issue only affects OpenSSL 1.0.2i, released on 22nd September 2016.
+
+ A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0
+ but was omitted from OpenSSL 1.0.2i. As a result any attempt to use
+ CRLs in OpenSSL 1.0.2i will crash with a null pointer exception.
+ </description>
+ <advisory url="/news/secadv/20160926.txt"/>
+ <reported source="Bruce Stephens and Thomas Jakobi" date="20160922"/>
+ </issue>
<issue public="20160922">
<impact severity="High"/>
<cve name="2016-6304"/>
<fixed base="1.0.2" version="1.0.2i" date="20160922"/>
<fixed base="1.1.0" version="1.1.0a" date="20160922"/>
+ <problemtype>memory leak</problemtype>
<description>
A malicious client can send an excessively large OCSP Status Request extension.
If that client continually requests renegotiation, sending a large OCSP Status
support.
</description>
<advisory url="/news/secadv/20160922.txt"/>
- <reported source="Shi Lei (Gear Team, Qihoo 360 Inc.)"/>
+ <reported source="Shi Lei (Gear Team, Qihoo 360 Inc.)" date="20160829"/>
</issue>
<issue public="20160922">
<impact severity="Moderate"/>
attack.
</description>
<advisory url="/news/secadv/20160922.txt"/>
- <reported source="Alex Gaynor"/>
+ <reported source="Alex Gaynor" date="20160910"/>
</issue>
<issue public="20160824">
<impact severity="Low"/>
on most platforms.
</description>
<advisory url="/news/secadv/20160922.txt"/>
- <reported source="Shi Lei (Gear Team, Qihoo 360 Inc.)"/>
+ <reported source="Shi Lei (Gear Team, Qihoo 360 Inc.)" date="20160811"/>
</issue>
<issue public="20160823">
<impact severity="Low"/>
a custom server callback and ticket lookup mechanism.
</description>
<advisory url="/news/secadv/20160922.txt"/>
- <reported source="Shi Lei (Gear Team, Qihoo 360 Inc.)"/>
+ <reported source="Shi Lei (Gear Team, Qihoo 360 Inc.)" date="20160819"/>
</issue>
<issue public="20160816">
<impact severity="Low"/>
record limits will reject an oversized certificate before it is parsed.
</description>
<advisory url="/news/secadv/20160922.txt"/>
- <reported source="Shi Lei (Gear Team, Qihoo 360 Inc.)"/>
+ <reported source="Shi Lei (Gear Team, Qihoo 360 Inc.)" date="20160802"/>
</issue>
<issue public="20160722">
<impact severity="Low"/>
of data written. This will result in OOB reads when large OIDs are presented.
</description>
<advisory url="/news/secadv/20160922.txt"/>
- <reported source="Shi Lei (Gear Team, Qihoo 360 Inc.)"/>
+ <reported source="Shi Lei (Gear Team, Qihoo 360 Inc.)" date="20160721"/>
</issue>
<issue public="20160601">
<impact severity="Low"/>
values of len that are too big and therefore p + len < limit.
</description>
<advisory url="/news/secadv/20160922.txt"/>
- <reported source="Guido Vranken"/>
+ <reported source="Guido Vranken" date="20160504"/>
</issue>
<issue public="20160607">
<impact severity="Low"/>
recover the private DSA key.
</description>
<advisory url="/news/secadv/20160922.txt"/>
- <reported source="César Pereida (Aalto University), Billy Brumley (Tampere University of Technology), and Yuval Yarom (The University of Adelaide and NICTA)"/>
+ <reported source="César Pereida (Aalto University), Billy Brumley (Tampere University of Technology), and Yuval Yarom (The University of Adelaide and NICTA)" date="20160523"/>
</issue>
<issue public="20160822">
<impact severity="Low"/>
through memory exhaustion.
</description>
<advisory url="/news/secadv/20160922.txt"/>
- <reported source="Quan Luo"/>
+ <reported source="Quan Luo" date="20160622"/>
</issue>
<issue public="20160819">
<impact severity="Low"/>
DTLS connection.
</description>
<advisory url="/news/secadv/20160922.txt"/>
- <reported source="OCAP audit team"/>
+ <reported source="OCAP audit team" date="20151121"/>
</issue>
<issue public="20160921">
<impact severity="Low"/>
a client or a server which enables client authentication.
</description>
<advisory url="/news/secadv/20160922.txt"/>
- <reported source="Shi Lei (Gear Team, Qihoo 360 Inc.)"/>
+ <reported source="Shi Lei (Gear Team, Qihoo 360 Inc.)" date="20160822"/>
</issue>
<issue public="20160921">
<impact severity="Low"/>
of memory - which would then mean a more serious Denial of Service.
</description>
<advisory url="/news/secadv/20160922.txt"/>
- <reported source="Shi Lei (Gear Team, Qihoo 360 Inc.)"/>
+ <reported source="Shi Lei (Gear Team, Qihoo 360 Inc.)" date="20160818"/>
</issue>
<issue public="20160921">
<impact severity="Low"/>
of memory - which would then mean a more serious Denial of Service.
</description>
<advisory url="/news/secadv/20160922.txt"/>
- <reported source="Shi Lei (Gear Team, Qihoo 360 Inc.)"/>
+ <reported source="Shi Lei (Gear Team, Qihoo 360 Inc.)" date="20160818"/>
</issue>
<issue public="20160503">
<impact severity="High"/>
Certification Authorities.
</description>
<advisory url="/news/secadv/20160503.txt"/>
- <reported source="Huzaifa Sidhpurwala (Red Hat), Hanno Böck, David Benjamin (Google)"/>
+ <reported source="Huzaifa Sidhpurwala (Red Hat), Hanno Böck, David Benjamin (Google)" date="20160331"/>
</issue>
<issue public="20160503">
<impact severity="High"/>
bytes.
</description>
<advisory url="/news/secadv/20160503.txt"/>
- <reported source="Juraj Somorovsky"/>
+ <reported source="Juraj Somorovsky" date="20160413"/>
</issue>
<issue public="20160503">
<impact severity="Low"/>
message. This is no longer believed to be the case).
</description>
<advisory url="/news/secadv/20160503.txt"/>
- <reported source="Guido Vranken"/>
+ <reported source="Guido Vranken" date="20160303"/>
</issue>
<issue public="20160503">
<impact severity="Low"/>
this function directly.
</description>
<advisory url="/news/secadv/20160503.txt"/>
- <reported source="Guido Vranken"/>
+ <reported source="Guido Vranken" date="20160303"/>
</issue>
<issue public="20160503">
<impact severity="Low"/>
TLS applications are not affected.
</description>
<advisory url="/news/secadv/20160503.txt"/>
- <reported source="Brian Carpenter"/>
+ <reported source="Brian Carpenter" date="20160404"/>
</issue>
<issue public="20160503">
<impact severity="Low"/>
This could result in arbitrary stack data being returned in the buffer.
</description>
<advisory url="/news/secadv/20160503.txt"/>
- <reported source="Guido Vranken"/>
+ <reported source="Guido Vranken" date="20160305"/>
</issue>
<issue public="20160301">
<impact severity="High"/>
not provide any "EXPORT" or "LOW" strength ciphers.
</description>
<advisory url="/news/secadv/20160301.txt"/>
- <reported source="Nimrod Aviram and Sebastian Schinzel"/>
+ <reported source="Nimrod Aviram and Sebastian Schinzel" date="20151229"/>
</issue>
<issue public="20160301">
<impact severity="Low"/>
rare.
</description>
<advisory url="/news/secadv/20160301.txt"/>
- <reported source="Adam Langley (Google/BoringSSL)"/>
+ <reported source="Adam Langley (Google/BoringSSL)" date="20160207"/>
</issue>
<issue public="20160301">
<impact severity="Low"/>
constant time.
</description>
<advisory url="/news/secadv/20160301.txt"/>
- <reported source="OpenSSL"/>
+ <reported source="Emilia Käsper (OpenSSL)" date="20160223"/>
</issue>
<issue public="20160301">
<impact severity="Low"/>
also anticipated to be rare.
</description>
<advisory url="/news/secadv/20160301.txt"/>
- <reported source="Guido Vranken"/>
+ <reported source="Guido Vranken" date="20160219"/>
</issue>
<issue public="20160301">
<impact severity="Low"/>
trigger these issues because of message size limits enforced within libssl.
</description>
<advisory url="/news/secadv/20160301.txt"/>
- <reported source="Guido Vranken"/>
+ <reported source="Guido Vranken" date="20160223"/>
</issue>
<issue public="20160301">
<impact severity="Low"/>
the victim thread which is performing decryptions.
</description>
<advisory url="/news/secadv/20160301.txt"/>
- <reported source="Yuval Yarom, The University of Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and Nadia Heninger, University of Pennsylvania"/>
+ <reported source="Yuval Yarom, The University of Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and Nadia Heninger, University of Pennsylvania" date="20160108"/>
</issue>
<issue public="20160301">
<impact severity="High"/>
computation.
</description>
<advisory url="/news/secadv/20160301.txt"/>
- <reported source="David Adrian and J.Alex Halderman (University of Michigan)"/>
+ <reported source="David Adrian and J.Alex Halderman (University of Michigan)" date="20160210"/>
</issue>
<issue public="20160301">
<impact severity="Moderate"/>
the DROWN attack.
</description>
<advisory url="/news/secadv/20160301.txt"/>
- <reported source="David Adrian and J.Alex Halderman (University of Michigan)"/>
+ <reported source="David Adrian and J.Alex Halderman (University of Michigan)" date="20160210"/>
</issue>
<issue public="20160128">
<impact severity="High"/>
and cannot be disabled. This could have some performance impact.
</description>
<advisory url="/news/secadv/20160128.txt"/>
- <reported source="Antonio Sanso (Adobe)"/>
+ <reported source="Antonio Sanso (Adobe)" date="20160112"/>
</issue>
<issue public="20160128">
<impact severity="Low"/>
SSL_OP_NO_SSLv2.
</description>
<advisory url="/news/secadv/20160128.txt"/>
- <reported source="Nimrod Aviram and Sebastian Schinzel"/>
+ <reported source="Nimrod Aviram and Sebastian Schinzel" date="20151226"/>
</issue>
<issue public="20150811">
<impact severity="Low"/>
of service attack.
</description>
<advisory url="/news/secadv/20151203.txt"/>
- <reported source="Guy Leaver (Cisco)"/>
+ <reported source="Guy Leaver (Cisco)" date="20150803"/>
</issue>
<issue public="20151203">
<cve name="2015-3193"/>
default in OpenSSL DHE based SSL/TLS ciphersuites.
</description>
<advisory url="/news/secadv/20151203.txt"/>
- <reported source="Hanno Böck"/>
+ <reported source="Hanno Böck" date="20150813"/>
</issue>
<issue public="20151203">
<cve name="2015-3194"/>
servers which enable client authentication.
</description>
<advisory url="/news/secadv/20151203.txt"/>
- <reported source="Loïc Jonas Etienne (Qnective AG)"/>
+ <reported source="Loïc Jonas Etienne (Qnective AG)" date="20150827"/>
</issue>
<issue public="20151203">
<cve name="2015-3195"/>
SSL/TLS is not affected.
</description>
<advisory url="/news/secadv/20151203.txt"/>
- <reported source="Adam Langley (Google/BoringSSL) using libFuzzer"/>
+ <reported source="Adam Langley (Google/BoringSSL) using libFuzzer" date="20151109"/>
</issue>
<issue public="20151203">
<cve name="2015-3196"/>
"issue" an invalid certificate.
</description>
<advisory url="/news/secadv/20150709.txt"/>
- <reported source="Adam Langley and David Benjamin (Google/BoringSSL)"/>
+ <reported source="Adam Langley and David Benjamin (Google/BoringSSL)" date="20150624"/>
</issue>
<issue public="20150611">
<cve name="2015-1788"/>
client authentication enabled.
</description>
<advisory url="/news/secadv/20150611.txt"/>
- <reported source="Joseph Birr-Pixton"/>
+ <reported source="Joseph Birr-Pixton" date="20150406"/>
</issue>
<issue public="20150611">
callbacks.
</description>
<advisory url="/news/secadv/20150611.txt"/>
- <reported source="Robert Swiecki (Google) and (independently) Hanno Böck"/>
+ <reported source="Robert Święcki (Google Security Team)" date="20150408"/>
+ <reported source="Hanno Böck" date="20150411"/>
</issue>
<issue public="20150611">
servers are not affected.
</description>
<advisory url="/news/secadv/20150611.txt"/>
- <reported source="Michal Zalewski (Google)"/>
+ <reported source="Michal Zalewski (Google)" date="20150418"/>
</issue>
<issue public="20150611">
verifies signedData messages using the CMS code.
</description>
<advisory url="/news/secadv/20150611.txt"/>
- <reported source="Johannes Bauer"/>
+ <reported source="Johannes Bauer" date="20150331"/>
</issue>
<issue public="20150602">
corruption.
</description>
<advisory url="/news/secadv/20150611.txt"/>
- <reported source="Praveen Kariyanahalli, and subsequently by Ivan Fratric and Felix Groebert (Google)"/>
+ <reported source="Praveen Kariyanahalli, and subsequently by Ivan Fratric and Felix Groebert (Google)" date="20140328"/>
</issue>
<issue public="20150319">
<impact severity="High"/>
This can be exploited in a DoS attack against the server.
</description>
<advisory url="/news/secadv/20150319.txt"/>
- <reported source=" David Ramos (Stanford University)"/>
+ <reported source=" David Ramos (Stanford University)" date="20150226"/>
</issue>
<issue public="20150319">
potential DoS attack.
</description>
<advisory url="/news/secadv/20150319.txt"/>
- <reported source="Daniel Danner and Rainer Mueller"/>
+ <reported source="Daniel Danner and Rainer Mueller" date="20150213"/>
</issue>
<issue public="20150319">
connect to a DTLS1.2 only server.
</description>
<advisory url="/news/secadv/20150319.txt"/>
- <reported source="Per Allansson"/>
+ <reported source="Per Allansson" date="20150127"/>
</issue>
<issue public="20150319">
OpenSSL clients and servers which enable client authentication.
</description>
<advisory url="/news/secadv/20150319.txt"/>
- <reported source="Brian Carpenter"/>
+ <reported source="Brian Carpenter" date="20150131"/>
</issue>
<issue public="20150319">
affected. OpenSSL clients and servers are not affected.
</description>
<advisory url="/news/secadv/20150319.txt"/>
- <reported source="Michal Zalewski (Google)"/>
+ <reported source="Michal Zalewski (Google)" date="20150216"/>
</issue>
<issue public="20150319">
<issue public="20020730">
<cve name="2002-0657"/>
<advisory url="/news/secadv/20020730.txt"/>
+ <affects base="0.9.7" version="0.9.7-beta3"/>
+ <fixed base="0.9.7" version="0.9.7" date="20021210"/>
<reported source="OpenSSL Group (A.L. Digital)"/>
<description>
A buffer overflow when Kerberos is enabled allowed attackers
<issue public="20020730">
<cve name="2002-0659"/>
+ <advisory url="/news/secadv/20020730.txt"/>
<affects base="0.9.6" version="0.9.6a"/>
<affects base="0.9.6" version="0.9.6b"/>
<affects base="0.9.6" version="0.9.6c"/>
</description>
</issue>
- <issue>
+ <issue public="20020808">
<cve name="2002-1568"/>
<affects base="0.9.6" version="0.9.6e"/>
- <fixed base="0.9.6" version="0.9.6f" date="20020808"/>
+ <fixed base="0.9.6" version="0.9.6f" date="20020808">
+ <git hash="517a0e7fa0f5453c860a3aec17b678bd55d5aad7"/>
+ </fixed>
<description>
The use of assertions when detecting buffer overflow attacks
allowed remote attackers to cause a denial of service (crash) by
<affects base="0.9.6" version="0.9.6k"/>
<affects base="0.9.6" version="0.9.6l"/>
<affects base="0.9.6" version="0.9.6m"/>
- <fixed base="0.9.7" version="0.9.7f" date="20050322"/>
+ <fixed base="0.9.7" version="0.9.7f" date="20050322">
+ <git hash="5fee606442a6738fd06a756d7076be53b7b7734c"/>
+ </fixed>
<fixed base="0.9.6" version="0.9.6-cvs" date="20041114"/>
<!-- der_chop was removed 20041114 -->
<cve name="2007-5502"/>
<advisory url="/news/secadv/20071129.txt"/>
<reported source="Geoff Lowe"/>
-
+ <affects base="fips-1.1" version="fips-1.1.1"/>
+ <fixed base="fips-1.1" version="fips-1.1.2" date="20071201"/>
<description>
The PRNG implementation for the OpenSSL FIPS Object Module 1.1.1 does
not perform auto-seeding during the FIPS self-test, which generates
<affects base="0.9.8" version="0.9.8f"/>
<affects base="0.9.8" version="0.9.8g"/>
<affects base="0.9.8" version="0.9.8h"/>
- <fixed base="0.9.8" version="0.9.8i" date="20080915"/>
+ <fixed base="0.9.8" version="0.9.8i" date="20080915">
+ <git hash="1cbf663a6c89dcf8f7706d30a8bae675e2e0199a"/>
+ </fixed>
<reported source="Alex Lam"/>
<description>
Fix a NULL pointer dereference if a DTLS server recieved
<issue public="20090205">
<cve name="2009-1387"/>
+ <advisory url="https://rt.openssl.org/Ticket/Display.html?id=1838&user=guest&pass=guest"/>
<affects base="0.9.8" version="0.9.8"/>
<affects base="0.9.8" version="0.9.8a"/>
<affects base="0.9.8" version="0.9.8b"/>
<issue public="20090512">
<cve name="2009-1377"/>
+ <advisory url="https://rt.openssl.org/Ticket/Display.html?id=1930&user=guest&pass=guest"/>
+ <affects base="0.9.8" version="0.9.8"/>
+ <affects base="0.9.8" version="0.9.8a"/>
+ <affects base="0.9.8" version="0.9.8b"/>
+ <affects base="0.9.8" version="0.9.8c"/>
+ <affects base="0.9.8" version="0.9.8d"/>
+ <affects base="0.9.8" version="0.9.8e"/>
+ <affects base="0.9.8" version="0.9.8f"/>
+ <affects base="0.9.8" version="0.9.8g"/>
+ <affects base="0.9.8" version="0.9.8h"/>
+ <affects base="0.9.8" version="0.9.8i"/>
+ <affects base="0.9.8" version="0.9.8j"/>
+ <affects base="0.9.8" version="0.9.8k"/>
+ <affects base="0.9.8" version="0.9.8l"/>
+ <fixed base="0.9.8" version="0.9.8m" date="20100120">
+ <git hash="88b48dc68024dcc437da4296c9fb04419b0ccbe1"/>
+ </fixed>
+ <reported source="Daniel Mentz, Robin Seggelmann"/>
+ <description>
+Fix a denial of service flaw in the DTLS implementation.
+Records are buffered if they arrive with a future epoch to be
+processed after finishing the corresponding handshake. There is
+currently no limitation to this buffer allowing an attacker to perform
+a DOS attack to a DTLS server by sending records with future epochs until there is no
+memory left.
+ </description>
+ </issue>
+
+ <issue public="20090512">
<cve name="2009-1378"/>
+ <advisory url="https://rt.openssl.org/Ticket/Display.html?id=1931&user=guest&pass=guest"/>
+ <affects base="0.9.8" version="0.9.8"/>
+ <affects base="0.9.8" version="0.9.8a"/>
+ <affects base="0.9.8" version="0.9.8b"/>
+ <affects base="0.9.8" version="0.9.8c"/>
+ <affects base="0.9.8" version="0.9.8d"/>
+ <affects base="0.9.8" version="0.9.8e"/>
+ <affects base="0.9.8" version="0.9.8f"/>
+ <affects base="0.9.8" version="0.9.8g"/>
+ <affects base="0.9.8" version="0.9.8h"/>
+ <affects base="0.9.8" version="0.9.8i"/>
+ <affects base="0.9.8" version="0.9.8j"/>
+ <affects base="0.9.8" version="0.9.8k"/>
+ <affects base="0.9.8" version="0.9.8l"/>
+ <fixed base="0.9.8" version="0.9.8m" date="20100120">
+ <git hash="abda7c114791fa7fe95672ec7a66fc4733c40dbc"/>
+ </fixed>
+ <reported source="Daniel Mentz, Robin Seggelmann"/>
+ <description>
+ Fix a denial of service flaw in the DTLS implementation.
+In dtls1_process_out_of_seq_message() the check if the current message
+is already buffered was missing. For every new message was memory
+allocated, allowing an attacker to perform an denial of service attack
+against a DTLS server by sending out of seq handshake messages until there is no memory
+left.
+ </description>
+ </issue>
+
+ <issue public="20090512">
<cve name="2009-1379"/>
+ <advisory url="https://rt.openssl.org/Ticket/Display.html?id=1923&user=guest&pass=guest"/>
<affects base="0.9.8" version="0.9.8"/>
<affects base="0.9.8" version="0.9.8a"/>
<affects base="0.9.8" version="0.9.8b"/>
<affects base="0.9.8" version="0.9.8j"/>
<affects base="0.9.8" version="0.9.8k"/>
<affects base="0.9.8" version="0.9.8l"/>
- <fixed base="0.9.8" version="0.9.8m" date="20100120"/>
+ <fixed base="0.9.8" version="0.9.8m" date="20100120">
+ <git hash="561cbe567846a376153bea7f1f2d061e78029c2d"/>
+ </fixed>
<reported source="Daniel Mentz, Robin Seggelmann"/>
<description>
-Fix denial of service flaws in the DTLS implementation. A
-remote attacker could use these flaws to cause a DTLS server to use
-excessive amounts of memory, or crash.
+ Use-after-free vulnerability in the dtls1_retrieve_buffered_fragment
+ function could cause a client accessing a malicious DTLS server to
+ crash.
</description>
</issue>
<affects base="0.9.8" version="0.9.8j"/>
<affects base="0.9.8" version="0.9.8k"/>
<affects base="0.9.8" version="0.9.8l"/>
- <fixed base="0.9.8" version="0.9.8m" date="20100120"/>
+ <fixed base="0.9.8" version="0.9.8m" date="20100120">
+ <git hash="1b31b5ad560b16e2fe1cad54a755e3e6b5e778a3"/>
+ </fixed>
<reported source="Michael K Johnson and Andy Grimm (rPath)"/>
<description>
A memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c
<affects base="0.9.8" version="0.9.8j"/>
<affects base="0.9.8" version="0.9.8k"/>
<affects base="0.9.8" version="0.9.8l"/>
- <fixed base="0.9.8" version="0.9.8m" date="20100120"/>
+ <fixed base="0.9.8" version="0.9.8m" date="20100120">
+ <git hash="7e4cae1d2f555cbe9226b377aff4b56c9f7ddd4d"/>
+ </fixed>
<reported source="Martin Olsson, Neel Mehta"/>
<description>
It was discovered that OpenSSL did not always check the return value of the
<affects base="0.9.8" version="0.9.8k"/>
<affects base="0.9.8" version="0.9.8l"/>
<affects base="0.9.8" version="0.9.8m"/>
- <fixed base="0.9.8" version="0.9.8n" date="20100324"/>
+ <fixed base="0.9.8" version="0.9.8n" date="20100324">
+ <git hash="cca1cd9a3447dd067503e4a85ebd1679ee78a48e"/>
+ </fixed>
<reported source="Todd Rinaldo, Tomas Hoger (Red Hat)"/>
<description>
A missing return value check flaw was discovered in OpenSSL, that could
</issue>
<issue public="20140106">
- <cve name="2013-4353"/>
+ <cve name="2013-4353"/>
<affects base="1.0.1" version="1.0.1"/>
<affects base="1.0.1" version="1.0.1a"/>
<affects base="1.0.1" version="1.0.1b"/>
<issue public="20140214">
<cve name="2014-0076"/>
+ <advisory url="/news/secadv/20140605.txt"/>
<affects base="0.9.8" version="0.9.8"/>
<affects base="0.9.8" version="0.9.8a"/>
<affects base="0.9.8" version="0.9.8b"/>