### Changes between 1.1.1 and 3.0 [xx XXX xxxx]
+ * Add support for AES Key Wrap inverse ciphers to the EVP layer.
+ The algorithms are:
+ "AES-128-WRAP-INV", "AES-192-WRAP-INV", "AES-256-WRAP-INV",
+ "AES-128-WRAP-PAD-INV", "AES-192-WRAP-PAD-INV" and "AES-256-WRAP-PAD-INV".
+ The inverse ciphers use AES decryption for wrapping, and
+ AES encryption for unwrapping.
+
+ *Shane Lontis*
+
+ * Deprecated EVP_PKEY_set1_tls_encodedpoint() and
+ EVP_PKEY_get1_tls_encodedpoint(). These functions were previously used by
+ libssl to set or get an encoded public key in/from an EVP_PKEY object. With
+ OpenSSL 3.0 these are replaced by the more generic functions
+ EVP_PKEY_set1_encoded_public_key() and EVP_PKEY_get1_encoded_public_key().
+ The old versions have been converted to deprecated macros that just call the
+ new functions.
+
+ *Matt Caswell*
+
+ * The security callback, which can be customised by application code, supports
+ the security operation SSL_SECOP_TMP_DH. This is defined to take an EVP_PKEY
+ in the "other" parameter. In most places this is what is passed. All these
+ places occur server side. However there was one client side call of this
+ security operation and it passed a DH object instead. This is incorrect
+ according to the definition of SSL_SECOP_TMP_DH, and is inconsistent with all
+ of the other locations. Therefore this client side call has been changed to
+ pass an EVP_PKEY instead.
+
+ *Matt Caswell*
+
+ * Add PKCS7_get_octet_string() and PKCS7_type_is_other() to the public
+ interface. Their functionality remains unchanged.
+
+ *Jordan Montgomery*
+
+ * Added new option for 'openssl list', '-providers', which will display the
+ list of loaded providers, their names, version and status. It optionally
+ displays their gettable parameters.
+
+ *Paul Dale*
+
+ * Deprecated EVP_PKEY_set_alias_type(). This function was previously
+ needed as a workaround to recognise SM2 keys. With OpenSSL 3.0, this key
+ type is internally recognised so the workaround is no longer needed.
+
+ Functionality is still retained as it is, but will only work with
+ EVP_PKEYs with a legacy internal key.
+
+ *Richard Levitte*
+
+ * Deprecated EVP_PKEY_CTX_set_rsa_keygen_pubexp() & introduced
+ EVP_PKEY_CTX_set1_rsa_keygen_pubexp(), which is now preferred.
+
+ *Jeremy Walch*
+
+ * Changed all "STACK" functions to be macros instead of inline functions. Macro
+ parameters are still checked for type safety at compile time via helper
+ inline functions.
+
+ *Matt Caswell*
+
* Remove the RAND_DRBG API
The RAND_DRBG API did not fit well into the new provider concept as
*Rich Salz and Richard Levitte*
- * Added a library context that applications as well as other
- libraries can use to form a separate context within which libcrypto
- operations are performed.
+ * Added a library context `OSSL_LIB_CTX` that applications as well as
+ other libraries can use to form a separate context within which
+ libcrypto operations are performed.
There are two ways this can be used:
such an argument, such as `EVP_CIPHER_fetch` and similar algorithm
fetching functions.
- Indirectly, by creating a new library context and then assigning
- it as the new default, with `OPENSSL_CTX_set0_default`.
+ it as the new default, with `OSSL_LIB_CTX_set0_default`.
- All public OpenSSL functions that take an `OPENSSL_CTX` pointer,
- apart from the functions directly related to `OPENSSL_CTX`, accept
+ All public OpenSSL functions that take an `OSSL_LIB_CTX` pointer,
+ apart from the functions directly related to `OSSL_LIB_CTX`, accept
NULL to indicate that the default library context should be used.
Library code that changes the default library context using
- `OPENSSL_CTX_set0_default` should take care to restore it with a
+ `OSSL_LIB_CTX_set0_default` should take care to restore it with a
second call before returning to the caller.
+ _(Note: the library context was initially called `OPENSSL_CTX` and
+ renamed to `OSSL_LIB_CTX` in version 3.0.0 alpha7.)_
+
*Richard Levitte*
* Handshake now fails if Extended Master Secret extension is dropped
*Paul Dale*
* The command line utilities genrsa and rsa have been modified to use PKEY
- APIs These commands are now in maintenance mode and no new features will
- be added to them.
+ APIs. They now write PKCS#8 keys by default. These commands are now in
+ maintenance mode and no new features will be added to them.
*Paul Dale*
have to re-use the DH512 private key, which is not recommended anyway.
Also applications directly using the low level API BN_mod_exp may be
affected if they use BN_FLG_CONSTTIME.
- [CVE-2019-1551][]
+ ([CVE-2019-1551])
*Andy Polyakov*
*Rich Salz*
- * Added documentation for the STACK API. OpenSSL only defines the STACK
- functions where they are used.
+ * Added documentation for the STACK API.
*Rich Salz*
- * Introduced a new method type and API, OSSL_SERIALIZER, to
- represent generic serializers. An implementation is expected to
- be able to serialize an object associated with a given name (such
+ * Introduced a new method type and API, OSSL_ENCODER, to
+ represent generic encoders. An implementation is expected to
+ be able to encode an object associated with a given name (such
as an algorithm name for an asymmetric key) into forms given by
implementation properties.
- Serializers are primarily used from inside libcrypto, through
+ Encoders are primarily used from inside libcrypto, through
calls to functions like EVP_PKEY_print_private(),
PEM_write_bio_PrivateKey() and similar.
- Serializers are specified in such a way that they can be made to
+ Encoders are specified in such a way that they can be made to
directly handle the provider side portion of an object, if this
- provider side part comes from the same provider as the serializer
+ provider side part comes from the same provider as the encoder
itself, but can also be made to handle objects in parametrized
form (as an OSSL_PARAM array of data). This allows a provider to
- offer generic serializers as a service for any other provider.
+ offer generic encoders as a service for any other provider.
*Richard Levitte*
*Richard Levitte*
* For built-in EC curves, ensure an EC_GROUP built from the curve name is
- used even when parsing explicit parameters, when loading a serialized key
+ used even when parsing explicit parameters, when loading a encoded key
or calling `EC_GROUP_new_from_ecpkparameters()`/
`EC_GROUP_new_from_ecparameters()`.
This prevents bypass of security hardening and performance gains,
especially for curves with specialized EC_METHODs.
By default, if a key encoded with explicit parameters is loaded and later
- serialized, the output is still encoded with explicit parameters, even if
+ encoded, the output is still encoded with explicit parameters, even if
internally a "named" EC_GROUP is used for computation.
*Nicola Tuveri*
this change, EC_GROUP_set_generator would accept order and/or cofactor as
NULL. After this change, only the cofactor parameter can be NULL. It also
does some minimal sanity checks on the passed order.
- [CVE-2019-1547][]
+ ([CVE-2019-1547])
*Billy Bob Brumley*
*Richard Levitte*
+ * Added the options `-crl_lastupdate` and `-crl_nextupdate` to `openssl ca`,
+ allowing the `lastUpdate` and `nextUpdate` fields in the generated CRL to
+ be set explicitly.
+
+ *Chris Novakovic*
+
* Added support for Linux Kernel TLS data-path. The Linux Kernel data-path
improves application performance by removing data copies and providing
applications with zero-copy system calls such as sendfile and splice.
OpenSSL 1.1.1
-------------
-### Changes between 1.1.1e and 1.1.1f [xx XXX xxxx]
+### Changes between 1.1.1h and 1.1.1i [xx XXX xxxx]
+
+ *
+
+### Changes between 1.1.1g and 1.1.1h [22 Sep 2020]
+
+ * Certificates with explicit curve parameters are now disallowed in
+ verification chains if the X509_V_FLAG_X509_STRICT flag is used.
+
+ *Tomas Mraz*
+
+ * The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
+ ignore TLS protocol version bounds when configuring DTLS-based contexts, and
+ conversely, silently ignore DTLS protocol version bounds when configuring
+ TLS-based contexts. The commands can be repeated to set bounds of both
+ types. The same applies with the corresponding "min_protocol" and
+ "max_protocol" command-line switches, in case some application uses both TLS
+ and DTLS.
+
+ SSL_CTX instances that are created for a fixed protocol version (e.g.
+ TLSv1_server_method()) also silently ignore version bounds. Previously
+ attempts to apply bounds to these protocol versions would result in an
+ error. Now only the "version-flexible" SSL_CTX instances are subject to
+ limits in configuration files in command-line options.
+
+ *Viktor Dukhovni*
+
+ * Handshake now fails if Extended Master Secret extension is dropped
+ on renegotiation.
+
+ *Tomas Mraz*
+
+ * The Oracle Developer Studio compiler will start reporting deprecated APIs
+
+### Changes between 1.1.1f and 1.1.1g [21 Apr 2020]
+
+ * Fixed segmentation fault in SSL_check_chain()
+ Server or client applications that call the SSL_check_chain() function
+ during or after a TLS 1.3 handshake may crash due to a NULL pointer
+ dereference as a result of incorrect handling of the
+ "signature_algorithms_cert" TLS extension. The crash occurs if an invalid
+ or unrecognised signature algorithm is received from the peer. This could
+ be exploited by a malicious peer in a Denial of Service attack.
+ ([CVE-2020-1967])
+
+ *Benjamin Kaduk*
+
+ * Added AES consttime code for no-asm configurations
+ an optional constant time support for AES was added
+ when building openssl for no-asm.
+ Enable with: ./config no-asm -DOPENSSL_AES_CONST_TIME
+ Disable with: ./config no-asm -DOPENSSL_NO_AES_CONST_TIME
+ At this time this feature is by default disabled.
+ It will be enabled by default in 3.0.
+
+ *Bernd Edlinger*
+
+### Changes between 1.1.1e and 1.1.1f [31 Mar 2020]
+
+ * Revert the change of EOF detection while reading in libssl to avoid
+ regressions in applications depending on the current way of reporting
+ the EOF. As the existing method is not fully accurate the change to
+ reporting the EOF via SSL_ERROR_SSL is kept on the current development
+ branch and will be present in the 3.0 release.
+
+ *Tomas Mraz*
+
+ * Revised BN_generate_prime_ex to not avoid factors 3..17863 in p-1
+ when primes for RSA keys are computed.
+ Since we previously always generated primes == 2 (mod 3) for RSA keys,
+ the 2-prime and 3-prime RSA modules were easy to distinguish, since
+ N = p*q = 1 (mod 3), but N = p*q*r = 2 (mod 3). Therefore fingerprinting
+ 2-prime vs. 3-prime RSA keys was possible by computing N mod 3.
+ This avoids possible fingerprinting of newly generated RSA modules.
+
+ *Bernd Edlinger*
### Changes between 1.1.1d and 1.1.1e [17 Mar 2020]
If an application already calls OPENSSL_init_crypto() explicitly using
OPENSSL_INIT_ATFORK then this problem does not occur at all.
- [CVE-2019-1549][]
+ ([CVE-2019-1549])
*Matthias St. Pierre*
* For built-in EC curves, ensure an EC_GROUP built from the curve name is
- used even when parsing explicit parameters, when loading a serialized key
+ used even when parsing explicit parameters, when loading a encoded key
or calling `EC_GROUP_new_from_ecpkparameters()`/
`EC_GROUP_new_from_ecparameters()`.
This prevents bypass of security hardening and performance gains,
especially for curves with specialized EC_METHODs.
By default, if a key encoded with explicit parameters is loaded and later
- serialized, the output is still encoded with explicit parameters, even if
+ encoded, the output is still encoded with explicit parameters, even if
internally a "named" EC_GROUP is used for computation.
*Nicola Tuveri*
this change, EC_GROUP_set_generator would accept order and/or cofactor as
NULL. After this change, only the cofactor parameter can be NULL. It also
does some minimal sanity checks on the passed order.
- [CVE-2019-1547][]
+ ([CVE-2019-1547])
*Billy Bob Brumley*
certifiate is not given and all recipientInfo are tried out.
The old behaviour can be re-enabled in the CMS code by setting the
CMS_DEBUG_DECRYPT flag.
- [CVE-2019-1563][]
+ ([CVE-2019-1563])
*Bernd Edlinger*
Mingw isn't a POSIX environment per se, which means that Windows
paths should be used for installation.
- [CVE-2019-1552][]
+ ([CVE-2019-1552])
*Richard Levitte*
This issue was reported to OpenSSL on 16th of March 2019 by Joran Dirk
Greef of Ronomon.
- [CVE-2019-1543][]
+ ([CVE-2019-1543])
*Matt Caswell*
algorithm to recover the private key.
This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
- [CVE-2018-0734][]
+ ([CVE-2018-0734])
*Paul Dale*
algorithm to recover the private key.
This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser.
- [CVE-2018-0735][]
+ ([CVE-2018-0735])
*Paul Dale*
### Changes between 1.1.0k and 1.1.0l [10 Sep 2019]
* For built-in EC curves, ensure an EC_GROUP built from the curve name is
- used even when parsing explicit parameters, when loading a serialized key
+ used even when parsing explicit parameters, when loading a encoded key
or calling `EC_GROUP_new_from_ecpkparameters()`/
`EC_GROUP_new_from_ecparameters()`.
This prevents bypass of security hardening and performance gains,
especially for curves with specialized EC_METHODs.
By default, if a key encoded with explicit parameters is loaded and later
- serialized, the output is still encoded with explicit parameters, even if
+ encoded, the output is still encoded with explicit parameters, even if
internally a "named" EC_GROUP is used for computation.
*Nicola Tuveri*
this change, EC_GROUP_set_generator would accept order and/or cofactor as
NULL. After this change, only the cofactor parameter can be NULL. It also
does some minimal sanity checks on the passed order.
- [CVE-2019-1547][]
+ ([CVE-2019-1547])
*Billy Bob Brumley*
certifiate is not given and all recipientInfo are tried out.
The old behaviour can be re-enabled in the CMS code by setting the
CMS_DEBUG_DECRYPT flag.
- [CVE-2019-1563][]
+ ([CVE-2019-1563])
*Bernd Edlinger*
Mingw isn't a POSIX environment per se, which means that Windows
paths should be used for installation.
- [CVE-2019-1552][]
+ ([CVE-2019-1552])
*Richard Levitte*
This issue was reported to OpenSSL on 16th of March 2019 by Joran Dirk
Greef of Ronomon.
- [CVE-2019-1543][]
+ ([CVE-2019-1543])
*Matt Caswell*
algorithm to recover the private key.
This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
- [CVE-2018-0734][]
+ ([CVE-2018-0734])
*Paul Dale*
algorithm to recover the private key.
This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser.
- [CVE-2018-0735][]
+ ([CVE-2018-0735])
*Paul Dale*
could be exploited in a Denial Of Service attack.
This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken
- [CVE-2018-0732][]
+ ([CVE-2018-0732])
*Guido Vranken*
This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera
Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
- [CVE-2018-0737][]
+ ([CVE-2018-0737])
*Billy Brumley*
This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz
project.
- [CVE-2018-0739][]
+ ([CVE-2018-0739])
*Matt Caswell*
This issue was reported to OpenSSL on 2nd March 2018 by Peter Waltenberg
(IBM).
- [CVE-2018-0733][]
+ ([CVE-2018-0733])
*Andy Polyakov*
This issue was reported to OpenSSL by David Benjamin (Google). The issue
was originally found via the OSS-Fuzz project.
- [CVE-2017-3738][]
+ ([CVE-2017-3738])
*Andy Polyakov*
like Intel Broadwell (5th generation) and later or AMD Ryzen.
This issue was reported to OpenSSL by the OSS-Fuzz project.
- [CVE-2017-3736][]
+ ([CVE-2017-3736])
*Andy Polyakov*
would be an erroneous display of the certificate in text format.
This issue was reported to OpenSSL by the OSS-Fuzz project.
- [CVE-2017-3735][]
+ ([CVE-2017-3735])
*Rich Salz*
and servers are affected.
This issue was reported to OpenSSL by Joe Orton (Red Hat).
- [CVE-2017-3733][]
+ ([CVE-2017-3733])
*Matt Caswell*
perform an out-of-bounds read, usually resulting in a crash.
This issue was reported to OpenSSL by Robert Święcki of Google.
- [CVE-2017-3731][]
+ ([CVE-2017-3731])
*Andy Polyakov*
of Service attack.
This issue was reported to OpenSSL by Guido Vranken.
- [CVE-2017-3730][]
+ ([CVE-2017-3730])
*Matt Caswell*
similar to CVE-2015-3193 but must be treated as a separate problem.
This issue was reported to OpenSSL by the OSS-Fuzz project.
- [CVE-2017-3732][]
+ ([CVE-2017-3732])
*Andy Polyakov*
crash. This issue is not considered to be exploitable beyond a DoS.
This issue was reported to OpenSSL by Robert Święcki (Google Security Team)
- [CVE-2016-7054][]
+ ([CVE-2016-7054])
*Richard Levitte*
affected.
This issue was reported to OpenSSL by Tyler Nighswander of ForAllSecure.
- [CVE-2016-7053][]
+ ([CVE-2016-7053])
*Stephen Henson*
This issue was publicly reported as transient failures and was not
initially recognized as a security issue. Thanks to Richard Morgan for
providing reproducible case.
- [CVE-2016-7055][]
+ ([CVE-2016-7055])
*Andy Polyakov*
This issue only affects OpenSSL 1.1.0a.
This issue was reported to OpenSSL by Robert Święcki.
- [CVE-2016-6309][]
+ ([CVE-2016-6309])
*Matt Caswell*
the "no-ocsp" build time option are not affected.
This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
- [CVE-2016-6304][]
+ ([CVE-2016-6304])
*Matt Caswell*
Denial Of Service attack.
This issue was reported to OpenSSL by Alex Gaynor.
- [CVE-2016-6305][]
+ ([CVE-2016-6305])
*Matt Caswell*
*Andy Polyakov*
- * To mitigate the SWEET32 attack [CVE-2016-2183][], 3DES cipher suites
+ * To mitigate the SWEET32 attack ([CVE-2016-2183]), 3DES cipher suites
have been disabled by default and removed from DEFAULT, just like RC4.
See the RC4 item below to re-enable both.
* Deprecate SRP_VBASE_get_by_user.
SRP_VBASE_get_by_user had inconsistent memory management behaviour.
- In order to fix an unavoidable memory leak [CVE-2016-0798][],
+ In order to fix an unavoidable memory leak ([CVE-2016-0798]),
SRP_VBASE_get_by_user was changed to ignore the "fake user" SRP
seed, even if the seed is configured.
Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
- preparing the fix [CVE-2014-0160][]
+ preparing the fix ([CVE-2014-0160])
*Adam Langley, Bodo Moeller*
<http://eprint.iacr.org/2014/140>
Thanks to Yuval Yarom and Naomi Benger for discovering this
- flaw and to Yuval Yarom for supplying a fix [CVE-2014-0076][]
+ flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076])
*Yuval Yarom and Naomi Benger*
### Changes between 1.0.2s and 1.0.2t [10 Sep 2019]
* For built-in EC curves, ensure an EC_GROUP built from the curve name is
- used even when parsing explicit parameters, when loading a serialized key
+ used even when parsing explicit parameters, when loading a encoded key
or calling `EC_GROUP_new_from_ecpkparameters()`/
`EC_GROUP_new_from_ecparameters()`.
This prevents bypass of security hardening and performance gains,
especially for curves with specialized EC_METHODs.
By default, if a key encoded with explicit parameters is loaded and later
- serialized, the output is still encoded with explicit parameters, even if
+ encoded, the output is still encoded with explicit parameters, even if
internally a "named" EC_GROUP is used for computation.
*Nicola Tuveri*
this change, EC_GROUP_set_generator would accept order and/or cofactor as
NULL. After this change, only the cofactor parameter can be NULL. It also
does some minimal sanity checks on the passed order.
- [CVE-2019-1547][]
+ ([CVE-2019-1547])
*Billy Bob Brumley*
certifiate is not given and all recipientInfo are tried out.
The old behaviour can be re-enabled in the CMS code by setting the
CMS_DEBUG_DECRYPT flag.
- [CVE-2019-1563][]
+ ([CVE-2019-1563])
*Bernd Edlinger*
'/usr/local/ssl' is an unsafe prefix for location to install OpenSSL
binaries and run-time config file.
- [CVE-2019-1552][]
+ ([CVE-2019-1552])
*Richard Levitte*
This issue was discovered by Juraj Somorovsky, Robert Merget and Nimrod
Aviram, with additional investigation by Steven Collison and Andrew
Hourselt. It was reported to OpenSSL on 10th December 2018.
- [CVE-2019-1559][]
+ ([CVE-2019-1559])
*Matt Caswell*
This issue was reported to OpenSSL on 26th October 2018 by Alejandro
Cabrera Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar Pereida Garcia and
Nicola Tuveri.
- [CVE-2018-5407][]
+ ([CVE-2018-5407])
*Billy Brumley*
algorithm to recover the private key.
This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
- [CVE-2018-0734][]
+ ([CVE-2018-0734])
*Paul Dale*
could be exploited in a Denial Of Service attack.
This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken
- [CVE-2018-0732][]
+ ([CVE-2018-0732])
*Guido Vranken*
This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera
Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
- [CVE-2018-0737][]
+ ([CVE-2018-0737])
*Billy Brumley*
This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz
project.
- [CVE-2018-0739][]
+ ([CVE-2018-0739])
*Matt Caswell*
already received a fatal error.
This issue was reported to OpenSSL by David Benjamin (Google).
- [CVE-2017-3737][]
+ ([CVE-2017-3737])
*Matt Caswell*
This issue was reported to OpenSSL by David Benjamin (Google). The issue
was originally found via the OSS-Fuzz project.
- [CVE-2017-3738][]
+ ([CVE-2017-3738])
*Andy Polyakov*
like Intel Broadwell (5th generation) and later or AMD Ryzen.
This issue was reported to OpenSSL by the OSS-Fuzz project.
- [CVE-2017-3736][]
+ ([CVE-2017-3736])
*Andy Polyakov*
would be an erroneous display of the certificate in text format.
This issue was reported to OpenSSL by the OSS-Fuzz project.
- [CVE-2017-3735][]
+ ([CVE-2017-3735])
*Rich Salz*
perform an out-of-bounds read, usually resulting in a crash.
This issue was reported to OpenSSL by Robert Święcki of Google.
- [CVE-2017-3731][]
+ ([CVE-2017-3731])
*Andy Polyakov*
similar to CVE-2015-3193 but must be treated as a separate problem.
This issue was reported to OpenSSL by the OSS-Fuzz project.
- [CVE-2017-3732][]
+ ([CVE-2017-3732])
*Andy Polyakov*
This issue was publicly reported as transient failures and was not
initially recognized as a security issue. Thanks to Richard Morgan for
providing reproducible case.
- [CVE-2016-7055][]
+ ([CVE-2016-7055])
*Andy Polyakov*
CRLs in OpenSSL 1.0.2i will crash with a null pointer exception.
This issue only affects the OpenSSL 1.0.2i
- [CVE-2016-7052][]
+ ([CVE-2016-7052])
*Matt Caswell*
the "no-ocsp" build time option are not affected.
This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
- [CVE-2016-6304][]
+ ([CVE-2016-6304])
*Matt Caswell*
This issue was reported to OpenSSL Karthikeyan Bhargavan and Gaetan
Leurent (INRIA)
- [CVE-2016-2183][]
+ ([CVE-2016-2183])
*Rich Salz*
on most platforms.
This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
- [CVE-2016-6303][]
+ ([CVE-2016-6303])
*Stephen Henson*
a custom server callback and ticket lookup mechanism.
This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
- [CVE-2016-6302][]
+ ([CVE-2016-6302])
*Stephen Henson*
record limits will reject an oversized certificate before it is parsed.
This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
- [CVE-2016-2182][]
+ ([CVE-2016-2182])
*Stephen Henson*
presented.
This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
- [CVE-2016-2180][]
+ ([CVE-2016-2180])
*Stephen Henson*
values of len that are too big and therefore p + len < limit.
This issue was reported to OpenSSL by Guido Vranken
- [CVE-2016-2177][]
+ ([CVE-2016-2177])
*Matt Caswell*
This issue was reported by César Pereida (Aalto University), Billy Brumley
(Tampere University of Technology), and Yuval Yarom (The University of
Adelaide and NICTA).
- [CVE-2016-2178][]
+ ([CVE-2016-2178])
*César Pereida*
attacker could cause a DoS attack through memory exhaustion.
This issue was reported to OpenSSL by Quan Luo.
- [CVE-2016-2179][]
+ ([CVE-2016-2179])
*Matt Caswell*
service for a specific DTLS connection.
This issue was reported to OpenSSL by the OCAP audit team.
- [CVE-2016-2181][]
+ ([CVE-2016-2181])
*Matt Caswell*
against a client or a server which enables client authentication.
This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
- [CVE-2016-6306][]
+ ([CVE-2016-6306])
*Stephen Henson*
AES-NI.
This issue was introduced as part of the fix for Lucky 13 padding
- attack [CVE-2013-0169][]. The padding check was rewritten to be in
+ attack ([CVE-2013-0169]). The padding check was rewritten to be in
constant time by making sure that always the same bytes are read and
compared against either the MAC or padding bytes. But it no longer
checked that there was enough data to have both the MAC and padding
bytes.
This issue was reported by Juraj Somorovsky using TLS-Attacker.
- [CVE-2016-2107][]
+ ([CVE-2016-2107])
*Kurt Roeckx*
with large amounts of untrusted data may also be vulnerable.
This issue was reported by Guido Vranken.
- [CVE-2016-2105][]
+ ([CVE-2016-2105])
*Matt Caswell*
instances in internal usage where an overflow could occur.
This issue was reported by Guido Vranken.
- [CVE-2016-2106][]
+ ([CVE-2016-2106])
*Matt Caswell*
applications are not affected.
This issue was reported by Brian Carpenter.
- [CVE-2016-2109][]
+ ([CVE-2016-2109])
*Stephen Henson*
in arbitrary stack data being returned in the buffer.
This issue was reported by Guido Vranken.
- [CVE-2016-2176][]
+ ([CVE-2016-2176])
*Matt Caswell*
server variants, SSLv2 ciphers vulnerable to exhaustive search key
recovery have been removed. Specifically, the SSLv2 40-bit EXPORT
ciphers, and SSLv2 56-bit DES are no longer available.
- [CVE-2016-0800][]
+ ([CVE-2016-0800])
*Viktor Dukhovni*
This issue was reported to OpenSSL by Adam Langley(Google/BoringSSL) using
libFuzzer.
- [CVE-2016-0705][]
+ ([CVE-2016-0705])
*Stephen Henson*
credentials, this behaviour is not constant time and no strong
guarantees are made that the handshake is indistinguishable from
that of a valid user.
- [CVE-2016-0798][]
+ ([CVE-2016-0798])
*Emilia Käsper*
consequences. This is also anticipated to be rare.
This issue was reported to OpenSSL by Guido Vranken.
- [CVE-2016-0797][]
+ ([CVE-2016-0797])
*Matt Caswell*
trigger these issues because of message size limits enforced within libssl.
This issue was reported to OpenSSL Guido Vranken.
- [CVE-2016-0799][]
+ ([CVE-2016-0799])
*Matt Caswell*
Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and
Nadia Heninger, University of Pennsylvania with more information at
<http://cachebleed.info>.
- [CVE-2016-0702][]
+ ([CVE-2016-0702])
*Andy Polyakov*
default and cannot be disabled. This could have some performance impact.
This issue was reported to OpenSSL by Antonio Sanso (Adobe).
- [CVE-2016-0701][]
+ ([CVE-2016-0701])
*Matt Caswell*
This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram
and Sebastian Schinzel.
- [CVE-2015-3197][]
+ ([CVE-2015-3197])
*Viktor Dukhovni*
default in OpenSSL DHE based SSL/TLS ciphersuites.
This issue was reported to OpenSSL by Hanno Böck.
- [CVE-2015-3193][]
+ ([CVE-2015-3193])
*Andy Polyakov*
authentication.
This issue was reported to OpenSSL by Loïc Jonas Etienne (Qnective AG).
- [CVE-2015-3194][]
+ ([CVE-2015-3194])
*Stephen Henson*
This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using
libFuzzer.
- [CVE-2015-3195][]
+ ([CVE-2015-3195])
*Stephen Henson*
client authentication enabled.
This issue was reported to OpenSSL by Joseph Barr-Pixton.
- [CVE-2015-1788][]
+ ([CVE-2015-1788])
*Andy Polyakov*
This issue was reported to OpenSSL by Robert Swiecki (Google), and
independently by Hanno Böck.
- [CVE-2015-1789][]
+ ([CVE-2015-1789])
*Emilia Käsper*
servers are not affected.
This issue was reported to OpenSSL by Michal Zalewski (Google).
- [CVE-2015-1790][]
+ ([CVE-2015-1790])
*Emilia Käsper*
denial of service against any system which verifies signedData messages using
the CMS code.
This issue was reported to OpenSSL by Johannes Bauer.
- [CVE-2015-1792][]
+ ([CVE-2015-1792])
*Stephen Henson*
If a NewSessionTicket is received by a multi-threaded client when attempting to
reuse a previous ticket then a race condition can occur potentially leading to
a double free of the ticket data.
- [CVE-2015-1791][]
+ ([CVE-2015-1791])
*Matt Caswell*
This issue was was reported to OpenSSL by David Ramos of Stanford
University.
- [CVE-2015-0291][]
+ ([CVE-2015-0291])
*Stephen Henson and Matt Caswell*
fault will be triggered, thus enabling a potential DoS attack.
This issue was reported to OpenSSL by Daniel Danner and Rainer Mueller.
- [CVE-2015-0290][]
+ ([CVE-2015-0290])
*Matt Caswell*
server.
This issue was reported to OpenSSL by Per Allansson.
- [CVE-2015-0207][]
+ ([CVE-2015-0207])
*Matt Caswell*
certificate verification operation and exploited in a DoS attack. Any
application which performs certificate verification is vulnerable including
OpenSSL clients and servers which enable client authentication.
- [CVE-2015-0286][]
+ ([CVE-2015-0286])
*Stephen Henson*
OpenSSL clients and servers which enable client authentication.
This issue was was reported to OpenSSL by Brian Carpenter.
- [CVE-2015-0208][]
+ ([CVE-2015-0208])
*Stephen Henson*
components may be affected. Certificate parsing (d2i_X509 and related
functions) are however not affected. OpenSSL clients and servers are
not affected.
- [CVE-2015-0287][]
+ ([CVE-2015-0287])
*Stephen Henson*
affected. OpenSSL clients and servers are not affected.
This issue was reported to OpenSSL by Michal Zalewski (Google).
- [CVE-2015-0289][]
+ ([CVE-2015-0289])
*Emilia Käsper*
This issue was discovered by Sean Burford (Google) and Emilia Käsper
(OpenSSL development team).
- [CVE-2015-0293][]
+ ([CVE-2015-0293])
*Emilia Käsper*
If client auth is used then a server can seg fault in the event of a DHE
ciphersuite being selected and a zero length ClientKeyExchange message
being sent by the client. This could be exploited in a DoS attack.
- [CVE-2015-1787][]
+ ([CVE-2015-1787])
*Matt Caswell*
succeed on an unpatched platform:
openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA
- [CVE-2015-0285][]
+ ([CVE-2015-0285])
*Matt Caswell*
This issue was discovered by the BoringSSL project and fixed in their
commit 517073cd4b.
- [CVE-2015-0209][]
+ ([CVE-2015-0209])
*Matt Caswell*
the certificate key is invalid. This function is rarely used in practice.
This issue was discovered by Brian Carpenter.
- [CVE-2015-0288][]
+ ([CVE-2015-0288])
*Stephen Henson*
the "no-ocsp" build time option are not affected.
This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
- [CVE-2016-6304][]
+ ([CVE-2016-6304])
*Matt Caswell*
This issue was reported to OpenSSL Karthikeyan Bhargavan and Gaetan
Leurent (INRIA)
- [CVE-2016-2183][]
+ ([CVE-2016-2183])
*Rich Salz*
on most platforms.
This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
- [CVE-2016-6303][]
+ ([CVE-2016-6303])
*Stephen Henson*
a custom server callback and ticket lookup mechanism.
This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
- [CVE-2016-6302][]
+ ([CVE-2016-6302])
*Stephen Henson*
record limits will reject an oversized certificate before it is parsed.
This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
- [CVE-2016-2182][]
+ ([CVE-2016-2182])
*Stephen Henson*
presented.
This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
- [CVE-2016-2180][]
+ ([CVE-2016-2180])
*Stephen Henson*
values of len that are too big and therefore p + len < limit.
This issue was reported to OpenSSL by Guido Vranken
- [CVE-2016-2177][]
+ ([CVE-2016-2177])
*Matt Caswell*
This issue was reported by César Pereida (Aalto University), Billy Brumley
(Tampere University of Technology), and Yuval Yarom (The University of
Adelaide and NICTA).
- [CVE-2016-2178][]
+ ([CVE-2016-2178])
*César Pereida*
attacker could cause a DoS attack through memory exhaustion.
This issue was reported to OpenSSL by Quan Luo.
- [CVE-2016-2179][]
+ ([CVE-2016-2179])
*Matt Caswell*
service for a specific DTLS connection.
This issue was reported to OpenSSL by the OCAP audit team.
- [CVE-2016-2181][]
+ ([CVE-2016-2181])
*Matt Caswell*
against a client or a server which enables client authentication.
This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
- [CVE-2016-6306][]
+ ([CVE-2016-6306])
*Stephen Henson*
AES-NI.
This issue was introduced as part of the fix for Lucky 13 padding
- attack [CVE-2013-0169][]. The padding check was rewritten to be in
+ attack ([CVE-2013-0169]). The padding check was rewritten to be in
constant time by making sure that always the same bytes are read and
compared against either the MAC or padding bytes. But it no longer
checked that there was enough data to have both the MAC and padding
bytes.
This issue was reported by Juraj Somorovsky using TLS-Attacker.
- [CVE-2016-2107][]
+ ([CVE-2016-2107])
*Kurt Roeckx*
with large amounts of untrusted data may also be vulnerable.
This issue was reported by Guido Vranken.
- [CVE-2016-2105][]
+ ([CVE-2016-2105])
*Matt Caswell*
instances in internal usage where an overflow could occur.
This issue was reported by Guido Vranken.
- [CVE-2016-2106][]
+ ([CVE-2016-2106])
*Matt Caswell*
applications are not affected.
This issue was reported by Brian Carpenter.
- [CVE-2016-2109][]
+ ([CVE-2016-2109])
*Stephen Henson*
in arbitrary stack data being returned in the buffer.
This issue was reported by Guido Vranken.
- [CVE-2016-2176][]
+ ([CVE-2016-2176])
*Matt Caswell*
server variants, SSLv2 ciphers vulnerable to exhaustive search key
recovery have been removed. Specifically, the SSLv2 40-bit EXPORT
ciphers, and SSLv2 56-bit DES are no longer available.
- [CVE-2016-0800][]
+ ([CVE-2016-0800])
*Viktor Dukhovni*
This issue was reported to OpenSSL by Adam Langley(Google/BoringSSL) using
libFuzzer.
- [CVE-2016-0705][]
+ ([CVE-2016-0705])
*Stephen Henson*
credentials, this behaviour is not constant time and no strong
guarantees are made that the handshake is indistinguishable from
that of a valid user.
- [CVE-2016-0798][]
+ ([CVE-2016-0798])
*Emilia Käsper*
consequences. This is also anticipated to be rare.
This issue was reported to OpenSSL by Guido Vranken.
- [CVE-2016-0797][]
+ ([CVE-2016-0797])
*Matt Caswell*
trigger these issues because of message size limits enforced within libssl.
This issue was reported to OpenSSL Guido Vranken.
- [CVE-2016-0799][]
+ ([CVE-2016-0799])
*Matt Caswell*
Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and
Nadia Heninger, University of Pennsylvania with more information at
<http://cachebleed.info>.
- [CVE-2016-0702][]
+ ([CVE-2016-0702])
*Andy Polyakov*
This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram
and Sebastian Schinzel.
- [CVE-2015-3197][]
+ ([CVE-2015-3197])
*Viktor Dukhovni*
authentication.
This issue was reported to OpenSSL by Loïc Jonas Etienne (Qnective AG).
- [CVE-2015-3194][]
+ ([CVE-2015-3194])
*Stephen Henson*
This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using
libFuzzer.
- [CVE-2015-3195][]
+ ([CVE-2015-3195])
*Stephen Henson*
This issue was reported to OpenSSL by Adam Langley/David Benjamin
(Google/BoringSSL).
- [CVE-2015-1793][]
+ ([CVE-2015-1793])
*Matt Caswell*
the values are wrongly updated in the parent SSL_CTX structure. This can
result in a race condition potentially leading to a double free of the
identify hint data.
- [CVE-2015-3196][]
+ ([CVE-2015-3196])
*Stephen Henson*
client authentication enabled.
This issue was reported to OpenSSL by Joseph Barr-Pixton.
- [CVE-2015-1788][]
+ ([CVE-2015-1788])
*Andy Polyakov*
This issue was reported to OpenSSL by Robert Swiecki (Google), and
independently by Hanno Böck.
- [CVE-2015-1789][]
+ ([CVE-2015-1789])
*Emilia Käsper*
servers are not affected.
This issue was reported to OpenSSL by Michal Zalewski (Google).
- [CVE-2015-1790][]
+ ([CVE-2015-1790])
*Emilia Käsper*
denial of service against any system which verifies signedData messages using
the CMS code.
This issue was reported to OpenSSL by Johannes Bauer.
- [CVE-2015-1792][]
+ ([CVE-2015-1792])
*Stephen Henson*
If a NewSessionTicket is received by a multi-threaded client when attempting to
reuse a previous ticket then a race condition can occur potentially leading to
a double free of the ticket data.
- [CVE-2015-1791][]
+ ([CVE-2015-1791])
*Matt Caswell*
certificate verification operation and exploited in a DoS attack. Any
application which performs certificate verification is vulnerable including
OpenSSL clients and servers which enable client authentication.
- [CVE-2015-0286][]
+ ([CVE-2015-0286])
*Stephen Henson*
components may be affected. Certificate parsing (d2i_X509 and related
functions) are however not affected. OpenSSL clients and servers are
not affected.
- [CVE-2015-0287][]
+ ([CVE-2015-0287])
*Stephen Henson*
affected. OpenSSL clients and servers are not affected.
This issue was reported to OpenSSL by Michal Zalewski (Google).
- [CVE-2015-0289][]
+ ([CVE-2015-0289])
*Emilia Käsper*
This issue was discovered by Sean Burford (Google) and Emilia Käsper
(OpenSSL development team).
- [CVE-2015-0293][]
+ ([CVE-2015-0293])
*Emilia Käsper*
This issue was discovered by the BoringSSL project and fixed in their
commit 517073cd4b.
- [CVE-2015-0209][]
+ ([CVE-2015-0209])
*Matt Caswell*
the certificate key is invalid. This function is rarely used in practice.
This issue was discovered by Brian Carpenter.
- [CVE-2015-0288][]
+ ([CVE-2015-0288])
*Stephen Henson*
message can cause a segmentation fault in OpenSSL due to a NULL pointer
dereference. This could lead to a Denial Of Service attack. Thanks to
Markus Stenberg of Cisco Systems, Inc. for reporting this issue.
- [CVE-2014-3571][]
+ ([CVE-2014-3571])
*Steve Henson*
sequence number but for the next epoch. The memory leak could be exploited
by an attacker in a Denial of Service attack through memory exhaustion.
Thanks to Chris Mueller for reporting this issue.
- [CVE-2015-0206][]
+ ([CVE-2015-0206])
*Matt Caswell*
built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
method would be set to NULL which could later result in a NULL pointer
dereference. Thanks to Frank Schmirler for reporting this issue.
- [CVE-2014-3569][]
+ ([CVE-2014-3569])
*Kurt Roeckx*
Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for
reporting this issue.
- [CVE-2014-3572][]
+ ([CVE-2014-3572])
*Steve Henson*
downgrade the RSA key length used to a value smaller than the server
certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at
INRIA or reporting this issue.
- [CVE-2015-0204][]
+ ([CVE-2015-0204])
*Steve Henson*
containing DH keys: these are extremely rare and hardly ever encountered.
Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting
this issue.
- [CVE-2015-0205][]
+ ([CVE-2015-0205])
*Steve Henson*
Further analysis was conducted and fixes were developed by Stephen Henson
of the OpenSSL core team.
- [CVE-2014-8275][]
+ ([CVE-2014-8275])
*Steve Henson*
fix. Further analysis was conducted by the OpenSSL development team and
Adam Langley of Google. The final fix was developed by Andy Polyakov of
the OpenSSL core team.
- [CVE-2014-3570][]
+ ([CVE-2014-3570])
*Andy Polyakov*
have been compiled with OPENSSL_NO_SRTP defined are not affected.
The fix was developed by the OpenSSL team.
- [CVE-2014-3513][]
+ ([CVE-2014-3513])
*OpenSSL team*
causing a memory leak. By sending a large number of invalid session
tickets an attacker could exploit this issue in a Denial Of Service
attack.
- [CVE-2014-3567][]
+ ([CVE-2014-3567])
*Steve Henson*
When OpenSSL is configured with "no-ssl3" as a build option, servers
could accept and complete a SSL 3.0 handshake, and clients could be
configured to send them.
- [CVE-2014-3568][]
+ ([CVE-2014-3568])
*Akamai and the OpenSSL team*
* Add support for TLS_FALLBACK_SCSV.
Client applications doing fallback retries should call
SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).
- [CVE-2014-3566][]
+ ([CVE-2014-3566])
*Adam Langley, Bodo Moeller*
Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC
Group for discovering this issue.
- [CVE-2014-3512][]
+ ([CVE-2014-3512])
*Steve Henson*
Thanks to David Benjamin and Adam Langley (Google) for discovering and
researching this issue.
- [CVE-2014-3511][]
+ ([CVE-2014-3511])
*David Benjamin*
Thanks to Felix Gröbert (Google) for discovering and researching this
issue.
- [CVE-2014-3510][]
+ ([CVE-2014-3510])
*Emilia Käsper*
* By sending carefully crafted DTLS packets an attacker could cause openssl
to leak memory. This can be exploited through a Denial of Service attack.
Thanks to Adam Langley for discovering and researching this issue.
- [CVE-2014-3507][]
+ ([CVE-2014-3507])
*Adam Langley*
processing DTLS handshake messages. This can be exploited through a
Denial of Service attack.
Thanks to Adam Langley for discovering and researching this issue.
- [CVE-2014-3506][]
+ ([CVE-2014-3506])
*Adam Langley*
can be exploited through a Denial of Service attack.
Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
this issue.
- [CVE-2014-3505][]
+ ([CVE-2014-3505])
*Adam Langley*
Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this
issue.
- [CVE-2014-3509][]
+ ([CVE-2014-3509])
*Gabor Tyukasz*
Thanks to Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for
discovering and researching this issue.
- [CVE-2014-5139][]
+ ([CVE-2014-5139])
*Steve Henson*
output to the attacker.
Thanks to Ivan Fratric (Google) for discovering this issue.
- [CVE-2014-3508][]
+ ([CVE-2014-3508])
*Emilia Käsper, and Steve Henson*
SSL/TLS clients and servers.
Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
- researching this issue. [CVE-2014-0224][]
+ researching this issue. ([CVE-2014-0224])
*KIKUCHI Masashi, Steve Henson*
in a DoS attack.
Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
- [CVE-2014-0221][]
+ ([CVE-2014-0221])
*Imre Rad, Steve Henson*
client or server. This is potentially exploitable to run arbitrary
code on a vulnerable client or server.
- Thanks to Jüri Aedla for reporting this issue. [CVE-2014-0195][]
+ Thanks to Jüri Aedla for reporting this issue. ([CVE-2014-0195])
*Jüri Aedla, Steve Henson*
are subject to a denial of service attack.
Thanks to Felix Gröbert and Ivan Fratric at Google for discovering
- this issue. [CVE-2014-3470][]
+ this issue. ([CVE-2014-3470])
*Felix Gröbert, Ivan Fratric, Steve Henson*
Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
- preparing the fix [CVE-2014-0160][]
+ preparing the fix ([CVE-2014-0160])
*Adam Langley, Bodo Moeller*
<http://eprint.iacr.org/2014/140>
Thanks to Yuval Yarom and Naomi Benger for discovering this
- flaw and to Yuval Yarom for supplying a fix [CVE-2014-0076][]
+ flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076])
*Yuval Yarom and Naomi Benger*
* Fix for TLS record tampering bug. A carefully crafted invalid
handshake could crash OpenSSL with a NULL pointer exception.
Thanks to Anton Johansson for reporting this issues.
- [CVE-2013-4353][]
+ ([CVE-2013-4353])
* Keep original DTLS digest and encryption contexts in retransmission
structures so we can use the previous session parameters if they need
- to be resent. [CVE-2013-6450][]
+ to be resent. ([CVE-2013-6450])
*Steve Henson*
Security Group at Royal Holloway, University of London
(www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
Emilia Käsper for the initial patch.
- [CVE-2013-0169][]
+ ([CVE-2013-0169])
*Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson*
Thanks go to and to Adam Langley <agl@chromium.org> for discovering
and detecting this bug and to Wolfgang Ettlinger
<wolfgang.ettlinger@gmail.com> for independently discovering this issue.
- [CVE-2012-2686][]
+ ([CVE-2012-2686])
*Adam Langley*
* Return an error when checking OCSP signatures when key is NULL.
- This fixes a DoS attack. [CVE-2013-0166][]
+ This fixes a DoS attack. ([CVE-2013-0166])
*Steve Henson*
Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
fuzzing as a service testing platform.
- [CVE-2012-2333][]
+ ([CVE-2012-2333])
*Steve Henson*
Thanks to Tavis Ormandy, Google Security Team, for discovering this
issue and to Adam Langley <agl@chromium.org> for fixing it.
- [CVE-2012-2110][]
+ ([CVE-2012-2110])
*Adam Langley (Google), Tavis Ormandy, Google Security Team*
This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using
libFuzzer.
- [CVE-2015-3195][]
+ ([CVE-2015-3195])
*Stephen Henson*
the values are wrongly updated in the parent SSL_CTX structure. This can
result in a race condition potentially leading to a double free of the
identify hint data.
- [CVE-2015-3196][]
+ ([CVE-2015-3196])
*Stephen Henson*
client authentication enabled.
This issue was reported to OpenSSL by Joseph Barr-Pixton.
- [CVE-2015-1788][]
+ ([CVE-2015-1788])
*Andy Polyakov*
This issue was reported to OpenSSL by Robert Swiecki (Google), and
independently by Hanno Böck.
- [CVE-2015-1789][]
+ ([CVE-2015-1789])
*Emilia Käsper*
servers are not affected.
This issue was reported to OpenSSL by Michal Zalewski (Google).
- [CVE-2015-1790][]
+ ([CVE-2015-1790])
*Emilia Käsper*
denial of service against any system which verifies signedData messages using
the CMS code.
This issue was reported to OpenSSL by Johannes Bauer.
- [CVE-2015-1792][]
+ ([CVE-2015-1792])
*Stephen Henson*
If a NewSessionTicket is received by a multi-threaded client when attempting to
reuse a previous ticket then a race condition can occur potentially leading to
a double free of the ticket data.
- [CVE-2015-1791][]
+ ([CVE-2015-1791])
*Matt Caswell*
certificate verification operation and exploited in a DoS attack. Any
application which performs certificate verification is vulnerable including
OpenSSL clients and servers which enable client authentication.
- [CVE-2015-0286][]
+ ([CVE-2015-0286])
*Stephen Henson*
components may be affected. Certificate parsing (d2i_X509 and related
functions) are however not affected. OpenSSL clients and servers are
not affected.
- [CVE-2015-0287][]
+ ([CVE-2015-0287])
*Stephen Henson*
affected. OpenSSL clients and servers are not affected.
This issue was reported to OpenSSL by Michal Zalewski (Google).
- [CVE-2015-0289][]
+ ([CVE-2015-0289])
*Emilia Käsper*
This issue was discovered by Sean Burford (Google) and Emilia Käsper
(OpenSSL development team).
- [CVE-2015-0293][]
+ ([CVE-2015-0293])
*Emilia Käsper*
This issue was discovered by the BoringSSL project and fixed in their
commit 517073cd4b.
- [CVE-2015-0209][]
+ ([CVE-2015-0209])
*Matt Caswell*
the certificate key is invalid. This function is rarely used in practice.
This issue was discovered by Brian Carpenter.
- [CVE-2015-0288][]
+ ([CVE-2015-0288])
*Stephen Henson*
message can cause a segmentation fault in OpenSSL due to a NULL pointer
dereference. This could lead to a Denial Of Service attack. Thanks to
Markus Stenberg of Cisco Systems, Inc. for reporting this issue.
- [CVE-2014-3571][]
+ ([CVE-2014-3571])
*Steve Henson*
sequence number but for the next epoch. The memory leak could be exploited
by an attacker in a Denial of Service attack through memory exhaustion.
Thanks to Chris Mueller for reporting this issue.
- [CVE-2015-0206][]
+ ([CVE-2015-0206])
*Matt Caswell*
built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
method would be set to NULL which could later result in a NULL pointer
dereference. Thanks to Frank Schmirler for reporting this issue.
- [CVE-2014-3569][]
+ ([CVE-2014-3569])
*Kurt Roeckx*
Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for
reporting this issue.
- [CVE-2014-3572][]
+ ([CVE-2014-3572])
*Steve Henson*
downgrade the RSA key length used to a value smaller than the server
certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at
INRIA or reporting this issue.
- [CVE-2015-0204][]
+ ([CVE-2015-0204])
*Steve Henson*
containing DH keys: these are extremely rare and hardly ever encountered.
Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting
this issue.
- [CVE-2015-0205][]
+ ([CVE-2015-0205])
*Steve Henson*
fix. Further analysis was conducted by the OpenSSL development team and
Adam Langley of Google. The final fix was developed by Andy Polyakov of
the OpenSSL core team.
- [CVE-2014-3570][]
+ ([CVE-2014-3570])
*Andy Polyakov*
Further analysis was conducted and fixes were developed by Stephen Henson
of the OpenSSL core team.
- [CVE-2014-8275][]
+ ([CVE-2014-8275])
*Steve Henson*
causing a memory leak. By sending a large number of invalid session
tickets an attacker could exploit this issue in a Denial Of Service
attack.
- [CVE-2014-3567][]
+ ([CVE-2014-3567])
*Steve Henson*
When OpenSSL is configured with "no-ssl3" as a build option, servers
could accept and complete a SSL 3.0 handshake, and clients could be
configured to send them.
- [CVE-2014-3568][]
+ ([CVE-2014-3568])
*Akamai and the OpenSSL team*
* Add support for TLS_FALLBACK_SCSV.
Client applications doing fallback retries should call
SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).
- [CVE-2014-3566][]
+ ([CVE-2014-3566])
*Adam Langley, Bodo Moeller*
Thanks to Felix Gröbert (Google) for discovering and researching this
issue.
- [CVE-2014-3510][]
+ ([CVE-2014-3510])
*Emilia Käsper*
* By sending carefully crafted DTLS packets an attacker could cause openssl
to leak memory. This can be exploited through a Denial of Service attack.
Thanks to Adam Langley for discovering and researching this issue.
- [CVE-2014-3507][]
+ ([CVE-2014-3507])
*Adam Langley*
processing DTLS handshake messages. This can be exploited through a
Denial of Service attack.
Thanks to Adam Langley for discovering and researching this issue.
- [CVE-2014-3506][]
+ ([CVE-2014-3506])
*Adam Langley*
can be exploited through a Denial of Service attack.
Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
this issue.
- [CVE-2014-3505][]
+ ([CVE-2014-3505])
*Adam Langley*
Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this
issue.
- [CVE-2014-3509][]
+ ([CVE-2014-3509])
*Gabor Tyukasz*
output to the attacker.
Thanks to Ivan Fratric (Google) for discovering this issue.
- [CVE-2014-3508][]
+ ([CVE-2014-3508])
*Emilia Käsper, and Steve Henson*
SSL/TLS clients and servers.
Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
- researching this issue. [CVE-2014-0224][]
+ researching this issue. ([CVE-2014-0224])
*KIKUCHI Masashi, Steve Henson*
in a DoS attack.
Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
- [CVE-2014-0221][]
+ ([CVE-2014-0221])
*Imre Rad, Steve Henson*
client or server. This is potentially exploitable to run arbitrary
code on a vulnerable client or server.
- Thanks to Jüri Aedla for reporting this issue. [CVE-2014-0195][]
+ Thanks to Jüri Aedla for reporting this issue. ([CVE-2014-0195])
*Jüri Aedla, Steve Henson*
are subject to a denial of service attack.
Thanks to Felix Gröbert and Ivan Fratric at Google for discovering
- this issue. [CVE-2014-3470][]
+ this issue. ([CVE-2014-3470])
*Felix Gröbert, Ivan Fratric, Steve Henson*
<http://eprint.iacr.org/2014/140>
Thanks to Yuval Yarom and Naomi Benger for discovering this
- flaw and to Yuval Yarom for supplying a fix [CVE-2014-0076][]
+ flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076])
*Yuval Yarom and Naomi Benger*
* Keep original DTLS digest and encryption contexts in retransmission
structures so we can use the previous session parameters if they need
- to be resent. [CVE-2013-6450][]
+ to be resent. ([CVE-2013-6450])
*Steve Henson*
Security Group at Royal Holloway, University of London
(www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
Emilia Käsper for the initial patch.
- [CVE-2013-0169][]
+ ([CVE-2013-0169])
*Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson*
* Return an error when checking OCSP signatures when key is NULL.
- This fixes a DoS attack. [CVE-2013-0166][]
+ This fixes a DoS attack. ([CVE-2013-0166])
*Steve Henson*
Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
fuzzing as a service testing platform.
- [CVE-2012-2333][]
+ ([CVE-2012-2333])
*Steve Henson*
Thanks to Tavis Ormandy, Google Security Team, for discovering this
issue and to Adam Langley <agl@chromium.org> for fixing it.
- [CVE-2012-2110][]
+ ([CVE-2012-2110])
*Adam Langley (Google), Tavis Ormandy, Google Security Team*
CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where
an MMA defence is not necessary.
Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering
- this issue. [CVE-2012-0884][]
+ this issue. ([CVE-2012-0884])
*Steve Henson*
* Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
Thanks to Antonio Martin, Enterprise Secure Access Research and
Development, Cisco Systems, Inc. for discovering this bug and
- preparing a fix. [CVE-2012-0050][]
+ preparing a fix. ([CVE-2012-0050])
*Antonio Martin*
Security Group at Royal Holloway, University of London
(www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann
<seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de>
- for preparing the fix. [CVE-2011-4108][]
+ for preparing the fix. ([CVE-2011-4108])
*Robin Seggelmann, Michael Tuexen*
* Clear bytes used for block padding of SSL 3.0 records.
- [CVE-2011-4576][]
+ ([CVE-2011-4576])
*Adam Langley (Google)*
* Only allow one SGC handshake restart for SSL/TLS. Thanks to George
Kadianakis <desnacked@gmail.com> for discovering this issue and
- Adam Langley for preparing the fix. [CVE-2011-4619][]
+ Adam Langley for preparing the fix. ([CVE-2011-4619])
*Adam Langley (Google)*
- * Check parameters are not NULL in GOST ENGINE. [CVE-2012-0027][]
+ * Check parameters are not NULL in GOST ENGINE. ([CVE-2012-0027])
*Andrey Kulikov <amdeich@gmail.com>*
* Prevent malformed RFC3779 data triggering an assertion failure.
Thanks to Andrew Chi, BBN Technologies, for discovering the flaw
- and Rob Austein <sra@hactrn.net> for fixing it. [CVE-2011-4577][]
+ and Rob Austein <sra@hactrn.net> for fixing it. ([CVE-2011-4577])
*Rob Austein <sra@hactrn.net>*
### Changes between 1.0.0d and 1.0.0e [6 Sep 2011]
* Fix bug where CRLs with nextUpdate in the past are sometimes accepted
- by initialising X509_STORE_CTX properly. [CVE-2011-3207][]
+ by initialising X509_STORE_CTX properly. ([CVE-2011-3207])
*Kaspar Brand <ossl@velox.ch>*
* Fix SSL memory handling for (EC)DH ciphersuites, in particular
- for multi-threaded use of ECDH. [CVE-2011-3210][]
+ for multi-threaded use of ECDH. ([CVE-2011-3210])
*Adam Langley (Google)*
### Changes between 1.0.0 and 1.0.0a [01 Jun 2010]
* Check return value of int_rsa_verify in pkey_rsa_verifyrecover
- [CVE-2010-1633][]
+ ([CVE-2010-1633])
*Steve Henson, Peter-Michael Hager <hager@dortmund.net>*
- OpenSSL 0.9.8f if 'short' is longer than 16 bits,
the previous behavior could result in a read attempt at NULL when
receiving specific incorrect SSL/TLS records once record payload
- protection is active. [CVE-2010-0740][]
+ protection is active. ([CVE-2010-0740])
*Bodo Moeller, Adam Langley <agl@chromium.org>*
### Changes between 0.9.8l and 0.9.8m [25 Feb 2010]
- * Always check bn_wexpand() return values for failure. [CVE-2009-3245][]
+ * Always check bn_wexpand() return values for failure. ([CVE-2009-3245])
*Martin Olsson, Neel Mehta*
left. Additionally every future message was buffered, even if the
sequence number made no sense and would be part of another handshake.
So only messages with sequence numbers less than 10 in advance will be
- buffered. [CVE-2009-1378][]
+ buffered. ([CVE-2009-1378])
*Robin Seggelmann, discovered by Daniel Mentz*
a DOS attack with sending records with future epochs until there is no
memory left. This patch adds the pqueue_size() function to determine
the size of a buffer and limits the record buffer to 100 entries.
- [CVE-2009-1377][]
+ ([CVE-2009-1377])
*Robin Seggelmann, discovered by Daniel Mentz*
* Keep a copy of frag->msg_header.frag_len so it can be used after the
- parent structure is freed. [CVE-2009-1379][]
+ parent structure is freed. ([CVE-2009-1379])
*Daniel Mentz*
### Changes between 0.9.8k and 0.9.8l [5 Nov 2009]
* Disable renegotiation completely - this fixes a severe security
- problem [CVE-2009-3555][] at the cost of breaking all
+ problem ([CVE-2009-3555]) at the cost of breaking all
renegotiation. Renegotiation can be re-enabled by setting
SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at
run-time. This is really not recommended unless you know what
* Don't set val to NULL when freeing up structures, it is freed up by
underlying code. If `sizeof(void *) > sizeof(long)` this can result in
- zeroing past the valid field. [CVE-2009-0789][]
+ zeroing past the valid field. ([CVE-2009-0789])
*Paolo Ganci <Paolo.Ganci@AdNovum.CH>*
* Fix bug where return value of CMS_SignerInfo_verify_content() was not
checked correctly. This would allow some invalid signed attributes to
- appear to verify correctly. [CVE-2009-0591][]
+ appear to verify correctly. ([CVE-2009-0591])
*Ivan Nestlerode <inestlerode@us.ibm.com>*
* Reject UniversalString and BMPString types with invalid lengths. This
prevents a crash in ASN1_STRING_print_ex() which assumes the strings have
- a legal length. [CVE-2009-0590][]
+ a legal length. ([CVE-2009-0590])
*Steve Henson*
### Changes between 0.9.8i and 0.9.8j [07 Jan 2009]
* Properly check EVP_VerifyFinal() and similar return values
- [CVE-2008-5077][].
+ ([CVE-2008-5077]).
*Ben Laurie, Bodo Moeller, Google Security Team*
### Changes between 0.9.8h and 0.9.8i [15 Sep 2008]
* Fix NULL pointer dereference if a DTLS server received
- ChangeCipherSpec as first record [CVE-2009-1386][].
+ ChangeCipherSpec as first record ([CVE-2009-1386]).
*PR #1679*
* Fix flaw if 'Server Key exchange message' is omitted from a TLS
handshake which could lead to a client crash as found using the
- Codenomicon TLS test suite [CVE-2008-1672][]
+ Codenomicon TLS test suite ([CVE-2008-1672])
*Steve Henson, Mark Cox*
* Fix double free in TLS server name extensions which could lead to
- a remote crash found by Codenomicon TLS test suite [CVE-2008-0891][]
+ a remote crash found by Codenomicon TLS test suite ([CVE-2008-0891])
*Joe Orton*
* Update the SSL_get_shared_ciphers() fix CVE-2006-3738 which was
not complete and could lead to a possible single byte overflow
- [CVE-2007-5135][] [Ben Laurie]
+ ([CVE-2007-5135]) [Ben Laurie]
### Changes between 0.9.8d and 0.9.8e [23 Feb 2007]
### Changes between 0.9.8c and 0.9.8d [28 Sep 2006]
* Introduce limits to prevent malicious keys being able to
- cause a denial of service. [CVE-2006-2940][]
+ cause a denial of service. ([CVE-2006-2940])
*Steve Henson, Bodo Moeller*
* Fix ASN.1 parsing of certain invalid structures that can result
- in a denial of service. [CVE-2006-2937][] [Steve Henson]
+ in a denial of service. ([CVE-2006-2937]) [Steve Henson]
* Fix buffer overflow in SSL_get_shared_ciphers() function.
- [CVE-2006-3738][] [Tavis Ormandy and Will Drewry, Google Security Team]
+ ([CVE-2006-3738]) [Tavis Ormandy and Will Drewry, Google Security Team]
* Fix SSL client code which could crash if connecting to a
- malicious SSLv2 server. [CVE-2006-4343][]
+ malicious SSLv2 server. ([CVE-2006-4343])
*Tavis Ormandy and Will Drewry, Google Security Team*
### Changes between 0.9.8b and 0.9.8c [05 Sep 2006]
* Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
- [CVE-2006-4339][] [Ben Laurie and Google Security Team]
+ ([CVE-2006-4339]) [Ben Laurie and Google Security Team]
* Add AES IGE and biIGE modes.
(part of SSL_OP_ALL). This option used to disable the
countermeasure against man-in-the-middle protocol-version
rollback in the SSL 2.0 server implementation, which is a bad
- idea. [CVE-2005-2969][]
+ idea. ([CVE-2005-2969])
*Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center
for Information Security, National Institute of Advanced Industrial
### Changes between 0.9.7k and 0.9.7l [28 Sep 2006]
* Introduce limits to prevent malicious keys being able to
- cause a denial of service. [CVE-2006-2940][]
+ cause a denial of service. ([CVE-2006-2940])
*Steve Henson, Bodo Moeller*
* Fix ASN.1 parsing of certain invalid structures that can result
- in a denial of service. [CVE-2006-2937][] [Steve Henson]
+ in a denial of service. ([CVE-2006-2937]) [Steve Henson]
* Fix buffer overflow in SSL_get_shared_ciphers() function.
- [CVE-2006-3738][] [Tavis Ormandy and Will Drewry, Google Security Team]
+ ([CVE-2006-3738]) [Tavis Ormandy and Will Drewry, Google Security Team]
* Fix SSL client code which could crash if connecting to a
- malicious SSLv2 server. [CVE-2006-4343][]
+ malicious SSLv2 server. ([CVE-2006-4343])
*Tavis Ormandy and Will Drewry, Google Security Team*
### Changes between 0.9.7j and 0.9.7k [05 Sep 2006]
* Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
- [CVE-2006-4339][] [Ben Laurie and Google Security Team]
+ ([CVE-2006-4339]) [Ben Laurie and Google Security Team]
* Change the Unix randomness entropy gathering to use poll() when
possible instead of select(), since the latter has some
(part of SSL_OP_ALL). This option used to disable the
countermeasure against man-in-the-middle protocol-version
rollback in the SSL 2.0 server implementation, which is a bad
- idea. [CVE-2005-2969][]
+ idea. ([CVE-2005-2969])
*Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center
for Information Security, National Institute of Advanced Industrial
### Changes between 0.9.7c and 0.9.7d [17 Mar 2004]
* Fix null-pointer assignment in do_change_cipher_spec() revealed
- by using the Codenomicon TLS Test Tool [CVE-2004-0079][]
+ by using the Codenomicon TLS Test Tool ([CVE-2004-0079])
*Joe Orton, Steve Henson*
* Fix flaw in SSL/TLS handshaking when using Kerberos ciphersuites
- [CVE-2004-0112][]
+ ([CVE-2004-0112])
*Joe Orton, Steve Henson*
Stop out of bounds reads in the ASN1 code when presented with
invalid tags (CVE-2003-0543 and CVE-2003-0544).
- Free up ASN1_TYPE correctly if ANY type is invalid [CVE-2003-0545][].
+ Free up ASN1_TYPE correctly if ANY type is invalid ([CVE-2003-0545]).
If verify callback ignores invalid public key errors don't try to check
certificate signature with the NULL public key.
via timing by performing a MAC computation even if incorrect
block cipher padding has been found. This is a countermeasure
against active attacks where the attacker has to distinguish
- between bad padding and a MAC verification error. [CVE-2003-0078][]
+ between bad padding and a MAC verification error. ([CVE-2003-0078])
*Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
Remote buffer overflow in SSL3 protocol - an attacker could
supply an oversized master key in Kerberos-enabled versions.
- [CVE-2002-0657][]
+ ([CVE-2002-0657])
*Ben Laurie (CHATS)*
### Changes between 0.9.6l and 0.9.6m [17 Mar 2004]
* Fix null-pointer assignment in do_change_cipher_spec() revealed
- by using the Codenomicon TLS Test Tool [CVE-2004-0079][]
+ by using the Codenomicon TLS Test Tool ([CVE-2004-0079])
*Joe Orton, Steve Henson*
* Fix additional bug revealed by the NISCC test suite:
Stop bug triggering large recursion when presented with
- certain ASN.1 tags [CVE-2003-0851][]
+ certain ASN.1 tags ([CVE-2003-0851])
*Steve Henson*
via timing by performing a MAC computation even if incorrect
block cipher padding has been found. This is a countermeasure
against active attacks where the attacker has to distinguish
- between bad padding and a MAC verification error. [CVE-2003-0078][]
+ between bad padding and a MAC verification error. ([CVE-2003-0078])
*Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
* Add various sanity checks to asn1_get_length() to reject
the ASN1 length bytes if they exceed sizeof(long), will appear
negative or the content length exceeds the length of the
- supplied buffer. [CVE-2002-0659][]
+ supplied buffer. ([CVE-2002-0659])
*Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>*
*Ben Laurie (CHATS)*
* Various temporary buffers to hold ASCII versions of integers were
- too small for 64 bit platforms. [CVE-2002-0655][]
+ too small for 64 bit platforms. ([CVE-2002-0655])
*Matthew Byng-Maddick <mbm@aldigital.co.uk> and Ben Laurie (CHATS)>*
* Remote buffer overflow in SSL3 protocol - an attacker could
- supply an oversized session ID to a client. [CVE-2002-0656][]
+ supply an oversized session ID to a client. ([CVE-2002-0656])
*Ben Laurie (CHATS)*
* Remote buffer overflow in SSL2 protocol - an attacker could
- supply an oversized client master key. [CVE-2002-0656][]
+ supply an oversized client master key. ([CVE-2002-0656])
*Ben Laurie (CHATS)*
<!-- Links -->
+[CVE-2020-1967]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1967
[CVE-2019-1563]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1563
[CVE-2019-1559]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1559
[CVE-2019-1552]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1552
projects / openssl.git / blobdiff