OpenSSL Vulnerabilities

Updated 05/29/24

Impact

A remote attacker could execute arbitrary commands, cause a buffer overflow, bypass security, disclose potentially sensitive information, or create a denial of service.

Background

OpenSSL is an open-source implementation of the Secure Socket Layer (SSL) and Transport Layer Security (TLS) protocols including an all-purpose cryptography library. It is commonly used by Apache web server modules such as mod_ssl to implement secure web sessions.

The Problems


OpenSSL Security Advisory for 28 May 2024

05/29/24
CVE 2024-4741
The Security Advisory for May 28, 2024 announced a low severity severity. Calling the OpenSSL API function SSL_free_buffers may cause memory to be accessed that was previously freed in some situations. However, only applications that directly call the SSL_free_buffers function are affected by this issue. Applications that do not call this function are not vulnerable.


OpenSSL Security Advisory for 16 May 2024

05/17/24
CVE 2024-4603
The Security Advisory for May 16, 2024 announced an excessive time spent checking DSA keys and parameters. An application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack.


OpenSSL Security Advisory for 8 April 2024

04/08/24
CVE 2024-2511
The Security Advisory for April 8, 2024 announced a potential denial-of-service vulnerability. In a server which supports TLSv1.3 with the SSL_OP_NO_TICKET option, the session cache can get into an incorrect state and fail to flush properly, leading to unbounded memory growth. OpenSSL 1.1.1 prior to 1.1.1y, 3.0 prior to 3.0.14, 3.1 prior to 3.1.6, and 3.2 prior to 3.2.2 are affected by this vulnerability.


OpenSSL Security Advisory for 25 January 2024

01/25/24
CVE 2024-0727
The Security Advisory for January 25, 2024 announced a low severity vulnerability. Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack.


OpenSSL Security Advisory for 9 January 2024

02/05/24
CVE 2023-6129
The Security Advisory for January 9, 2024 announced a low severity vulnerability. The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications running on PowerPC CPU based platforms if the CPU provides vector instructions. If an attacker can influence whether the POLY1305 MAC algorithm is used, the application state might be corrupted with various application dependent consequences.


OpenSSL Security Advisory for 6 November 2023

11/06/23
CVE 2023-5678
The Security Advisory for 6 November 2023 announced that a fixed has been made in a possible denial of service vulnerability. Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow. An application that calls DH_generate_key() or DH_check_pub_key() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack.


OpenSSL Security Advisory for 24 October 2023

10/24/23
CVE 2023-5363
OpenSSL Security Advisory for 24 October 2023 announced that a bug has been identified in the processing of key and initialization vector (IV) lengths. This can lead to potential truncation or overruns during the initialization of some symmetric ciphers which could result in loss of confidentiality for some cipher modes.


OpenSSL Security Advisory for 8 September 2023

09/11/23
CVE 2023-4807
The 8 September 2023 Security Update fixed a denial of service vulnerability. The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications on the Windows 64 platform when running on newer X86_64 processors supporting the AVX512-IFMA instructions. If in an application that uses the OpenSSL library an attacker can influence whether the POLY1305 MAC algorithm is used, the application state might be corrupted with various application dependent consequences.


Excessive time spent checking DH keys and q parameter values

07/31/23
CVE 2023-3446
CVE 2023-3817
Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The function DH_check() performs various checks on DH parameters which resulted in two vulnerabilities. First, an application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. Second, a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p.


OpenSSL Security Advisory for 14 July 2023

07/17/23
CVE 2023-2975
The AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries which are unauthenticated as a consequence. Applications that use the AES-SIV algorithm and want to authenticate empty data entries as associated data can be misled by removing, adding or reordering such empty entries as these are ignored by the OpenSSL implementation.


OpenSSL Security Advisory for 30 May 2023

05/30/23
CVE 2023-2650
The 30 May 2023 Security Advisory for OpenSSL fixed a denial of service vulnerability. Applications that use OBJ_obj2txt() directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit may experience notable to very long delays when processing those messages, which may lead to a Denial of Service.


OpenSSL Security Advisory for 20 April 2023

04/20/23
CVE 2023-1255
The 20 April 2023 Security Advisory for OpenSSL fixed an input buffer over-read in AES-XTS implementation on 64 bit ARM which could lead to a crash.


OpenSSL Security Advisory for 28 March 2023

03/28/23
CVE 2023-0465
CVE 2023-0466
OpenSSL Security Advisory for 28 March 2023 announced fixes for two vulnerabilities. Firstly, applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Secondly, implementation of the function X509_VERIFY_PARAM_add0_policy is not enabled when doing certificate verification.


OpenSSL Security Advisory for 22 March 2023

03/22/23
CVE 2023-0464
A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the "-policy" argument to the command line utilities or by calling the X509_VERIFY_PARAM_set1_policies() function.


OpenSSL Security Advisory for 07 February 2023

02/07/23
CVE 2022-4203
CVE 2022-4304
CVE 2022-4450
CVE 2023-0215
CVE 2023-0216
CVE 2023-0217
CVE 2023-0286
CVE 2023-0401
OpenSSL Security Advisory for 07 February 2023 announced fixes for eight vulnerabilities:


X.509 Policy Constraints Double Locking

02/06/23
CVE 2022-3996
If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common setup.


OpenSSL Security Advisory for 01 November 2022

11/01/22
CVE 2022-3602
CVE 2022-3786
OpenSSL Security Advisory for 01 November 2022 announced fixes for two buffer overflows that can be triggered in X.509 certificate verification, specifically in name constraint checking. These vulnerabilities could result in crash causing a denial of service condition.


OpenSSL Security Advisory for 11 October 2022

10/11/22
CVE 2022-3358
OpenSSL supports creating a custom cipher via the legacy EVP_CIPHER_meth_new() function and associated function calls. OpenSSL versions 3.0.0 to 3.0.5 incorrectly handle legacy custom cipher with NID_undef may lead to NULL encryption. Note: Applications are only affected by this issue if they call EVP_CIPHER_meth_new() using NID_undef and subsequently use it in a call to an encryption/decryption initialization function.


OpenSSL Security Advisory for 05 July 2022

07/05/22
CVE 2022-2097
AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed.


OpenSSL Security Advisory for 22 June 2022

07/05/22
CVE 2022-2274
The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation.


OpenSSL Security Advisory for 21 June 2022

06/23/22
CVE 2022-2068
OpenSSL 1.0.2zf, 1.1.1p, and 3.0.4 fixed a command injection in c_rehash due to incomplete fixed in CVE-2022-1292 where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool.


OpenSSL Security Advisory for 03 March 2022

05/05/22
CVE 2022-1292
CVE 2022-1343
CVE 2022-1434
CVE 2022-1473
OpenSSL Security Advisory for 03 March 2022 addressed multiple vulnerabilities:


OpenSSL Security Advisory for 15 March 2022

03/15/22
CVE 2022-0778
The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters.


OpenSSL Security Advisory for 28 January 2022

03/15/22
CVE 2021-4160
There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. However, for an attack on TLS to be meaningful, the server would have to share the DH private key among multiple clients, which is no longer an option since CVE-2016-0701.


OpenSSL Security Advisory for 14 December 2021

03/15/22
CVE 2021-4044
Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory). Such a negative return value is mishandled by OpenSSL and will cause an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate success and a subsequent call to SSL_get_error() to return the value SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be returned by OpenSSL if the application has previously called SSL_CTX_set_cert_verify_callback(). Since most applications do not do this the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be totally unexpected and applications may not behave correctly as a result. The exact behaviour will depend on the application but it could result in crashes, infinite loops or other similar incorrect responses. This issue is made more serious in combination with a separate bug in OpenSSL 3.0 that will cause X509_verify_cert() to indicate an internal error when processing a certificate chain. This will occur where a certificate does not include the Subject Alternative Name extension but where a Certificate Authority has enforced name constraints. This issue can occur even with valid chains. By combining the two issues an attacker could induce incorrect, application dependent behaviour.


OpenSSL Security Advisory for 24 August 2021

08/25/21
CVE 2021-3711
CVE 2021-3712
OpenSSL Security Advisory for 24 August 2021 addressed two vulnerabilities. First, there is an SM2 decryption buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small which could cause the application to crash. Second, a read buffer overruns processing ASN.1 strings could result in a crash or disclosure of private memory contents (such as private keys, or sensitive plaintext).


OpenSSL Security Advisory for 25 March 2021

03/25/21
CVE 2021-3449
CVE 2021-3450
OpenSSL version 1.1.1k addressed two vulnerabilities. First, an OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client due to NULL pointer dereference in signature_algorithms processing. Second, a security problem in the implementation of CA certificate check with X509_V_FLAG_X509_STRICT flag.


OpenSSL Security Advisory for 16 February 2021

02/16/21
CVE 2021-23839
CVE 2021-23840
CVE 2021-23841
OpenSSL Security Advisory for 16 February 2021 addressed multiple denial of service vulnerabilities:


OpenSSL Security Advisory for 08 December 2020

12/08/20
CVE 2020-1971
OpenSSL Security Advisory for 08 December 2020 addressed a denial of service vulnerability. The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack.


OpenSSL Security Advisory for 21 September 2020

09/21/20
CVE 2020-1968
OpenSSL versions before 1.1.1 can reuse a pre-master secret from a static DH ciphersuite. This could permit an attacker to decipher said pre-master secret, and would allow that attacker to eavesdrop on encrypted communications over TLS connections.


OpenSSL Security Advisory for 21 April 2020

04/21/20
CVE 2020-1967
Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognized signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack.


OpenSSL Security Advisory for 6 December 2019

01/06/20
CVE 2019-1551
There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME.


OpenSSL Security Advisory for September 2019 fixed multiple vulnerabilities

09/12/19
CVE 2019-1547
CVE 2019-1549
CVE 2019-1563
OpenSSL Security Advisory for September 2019 fixed multiple vulnerabilities:


OpenSSL OPENSSLDIR privilege elevation vulnerability (CVE-2019-1552)

07/31/19
CVE 2019-1552
OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time.


OpenSSL ChaCha20-Poly1305 with long nonces vulnerability

03/11/19
CVE 2019-1543
ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce with 0 bytes if it is less than 12 bytes. However it also incorrectly allows a nonce to be set of up to 16 bytes. In this case only the last 12 bytes are significant and any additional leading bytes are ignored. It is a requirement of using this cipher that nonce values are unique. Messages encrypted using a reused nonce value are susceptible to serious confidentiality and integrity attacks. If an application changes the default nonce length to be longer than 12 bytes and then makes a change to the leading bytes of the nonce expecting the new value to be a new unique nonce then such an application could inadvertently encrypt messages with a reused nonce.


OpenSSL 0-byte record padding oracle vulnerability

02/27/19
CVE 2019-1559
OpenSSL 1.0.2 prior to 1.0.2r is vulnerable to a 0-byte record padding oracle attack which could allow a remote attacker to decrypt data passing over the network. Note: In order for this to be exploitable "non-stitched" ciphersuites must be in use. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway).


OpenSSL on SMT/Hyper-Threading architectures side-channel vulnerability

11/14/18
CVE 2018-5407
OpenSSL prior to 1.1.0i is vulnerable to a timing side channel attack. The vulnerability exists due to flaws on SMT/Hyper-Threading architectures.


OpenSSL signature algorithm vulnerabilities

10/29/18
CVE 2018-0734
CVE 2018-0735
OpenSSL 1.0.2 and prior to 1.0.2q, 1.1.0 and prior to 1.1.0j, and 1.1.1 and prior to 1.1.1a are vulnerable to a timing side channel attack. The vulnerabilities exist due to flaws in OpenSSL DSA and ECDSA signature algorithm. An attacker could use variations in the signing algorithm to recover the private key.


OpenSSL Client Denial of Service Vulnerability

06/12/18
CVE 2018-0732
OpenSSL 1.1.0h and prior and OpenSSL 1.0.2o and prior are prone to denial of service attack. The vulnerability exists due to a long wait in generating a key during key agreement in a TLS handshake using a DH(E) based ciphersuite when a very large prime value is sent to the client.


OpenSSL Cache timing vulnerability in RSA Key Generation

04/17/18
CVE 2018-0737
The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key.


Two vulnerabilities fixed in OpenSSL 1.1.0h

03/27/18
CVE 2018-0733
CVE 2018-0739
OpenSSL fixed two vulnerabilities:


Two vulnerabilities fixed in OpenSSL 1.0.2n

12/08/17
CVE 2017-3737
CVE 2017-3738
OpenSSL fixed two vulnerabilities. First, OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state" mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. However, due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. The vulnerability could let a remote user to obtain potentially sensitive information. Second, there is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. In certain situations, the vulnerability could let a remote user to possibly obtain information about a private key. No EC algorithms are affected. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation).


Two vulnerabilities fixed in OpenSSL 1.0.2m and 1.1.0g

11/02/17
CVE 2017-3735
CVE 2017-3736
OpenSSL prior to 1.0.2m and 1.1.0 and prior to 1.1.0g, are prone to two vulnerabilities. CVE-2017-3735, was previously announced in August but the update did not include in a release due to its low severity. The two vulnerabilities are the following:


Vulnerability in Encrypt-Then-Mac renegotiation fixed in OpenSSL

02/17/17
CVE 2017-3733
OpenSSL 1.0.1 and prior, 1.1.0 and prior to 1.1.0e, are prone to denial of service attack. The vulnerability exists due to a flaw in Encrypt-Then-Mac extension negotiation. Note: This vulnerability does not affect OpenSSL version 1.0.2.


Multiple vulnerabilities fixed in OpenSSL Security Advisory 20170126

01/26/17
CVE 2017-3730
CVE 2017-3731
CVE 2017-3732
Multiple vulnerabilities were fixed in the following:


OpenSSL ECDSA P-256 timing attack key recovery vulnerability

01/10/17
CVE 2016-7056
OpenSSL versions 1.0.1u and prior are prone to privilege elevation vulnerability. The vulnerability exists due to a flaw in the signing function in crypto/ecdsa/ecdsa_ossl.c resulting in a cache-timing attack vulnerability. A malicious user with local access can recover ECDSA P-256 private keys.


OpenSSL Security Advisory 20161110

11/10/16
CVE 2016-7053
CVE 2016-7054
CVE 2016-7055
OpenSSL version 1.1.0c fixed multiple vulnerabilities. The two vulnerabilities could result in denial of service attack, due to CMS Null dereference and ChaCha20/Poly1305 heap-buffer-overflow. The other vulnerability may produce incorrect results due to flaw in Montgomery multiplication.


OpenSSL Security Advisory 20160922

09/26/16
CVE 2016-2180 CVE 2016-6302 CVE 2016-6303 CVE 2016-6304 CVE 2016-6305 CVE 2016-6306 CVE 2016-6307 CVE 2016-6308 CVE 2016-6309
CVE 2016-7052
Multiple vulnerabilities were fixed in the following:


OpenSSL Triple-DES Cipher Block Collision Vulnerability

08/26/16
CVE 2016-2183
OpenSSL is prone to a vulnerability called "SWEET32" attack. Since triple-DES (DES) has only a 64-bit block size, it is possible to send enough traffic to cause a cipher collision, and then use that information to recover some valuable secrets such as HTTP cookies and passwords.


BN_bn2dec() vulnerability in OpenSSL

08/25/16
CVE 2016-2182
OpenSSL is prone to denial of service attack. The vulnerability exists due to an out of bounds write in BN_bn2dec() in "crypto/bn/bn_print.c".


OpenSSL DTLS replay protection bypass causing denial of service

08/25/16
CVE 2016-2181
OpenSSL is prone to denial of service attack. The vulnerability exists because of the flaw in DTLS replay protection when doing handshake/renegotiation. The vulnerability could be exploited by sending a record for the next epoch (which does not have to decrypt or have a valid MAC), with a very large sequence number causing valid packets to be dropped by the target system.


OpenSSL DTLS buffered messages denial of service vulnerability

08/25/16
CVE 2016-2179
OpenSSL is prone to denial of service attack by memory exhaustion. The vulnerability exists due to the way the DTLS handles out of order record delivery. A remote attacker can open simultaneous connections and fill up the queue by sending specially crafted large messages which are never going to be used.


OpenSSL non-constant time codepath vulnerability

06/30/16
CVE 2016-2178
The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack.


OpenSSL integer overflow vulnerability

06/29/16
CVE 2016-2177
OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer boundary checks, which might allow remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact by leveraging unexpected malloc behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c.


OpenSSL Security Advisory 20160503

05/03/16
CVE 2016-2105
CVE 2016-2106
CVE 2016-2107
CVE 2016-2108
CVE 2016-2109
CVE 2016-2176
Multiple vulnerabilities were fixed in the following:


Multiple Vulnerabilities Fixed in OpenSSL 1.0.2g and 1.0.1s

03/15/16
CVE 2016-0702
CVE 2016-0703
CVE 2016-0704
CVE 2016-0705
CVE 2016-0797
CVE 2016-0798
CVE 2016-0799
CVE 2016-0800
CVE 2016-2842
Multiple vulnerabilities were fixed in the following:


Two vulnerabilities fixed in OpenSSL 1.0.2f and 1.0.1r

01/28/16
CVE 2015-3197
CVE 2016-0701


Multiple Vulnerabilities Fixed in OpenSSL 1.0.2e, 1.0.1q, 1.0.0t, and 0.9.8zh

12/03/15
CVE 2015-3193
CVE 2015-3194
CVE 2015-3195
CVE 2015-3196
Multiple vulnerabilities were fixed in the following:


Alternative chains certificate forgery

07/09/15
CVE 2015-1793
OpenSSL prior to 1.0.1p and 1.0.2d is affected by a security-bypass vulnerability. The vulnerability exists due to a flaw in certificate verification. The vulnerability could cause certain checks on untrusted certificates to be bypassed.


Multiple Vulnerabilities Fixed in OpenSSL 1.0.2b, 1.0.1n, 1.0.0s, and 0.9.8zg

06/12/15
CVE 2015-1788
CVE 2015-1789
CVE 2015-1790
CVE 2015-1791
CVE 2015-1792
CVE 2015-4000
OpenSSL versions prior to 0.9.8zg, 1.0.0s, 1.0.1n, and 1.0.2b are affected by multiple vulnerabilities, including a DHE man-in-the-middle attack (Logjam), an infinite loop due to malformed ECParameters, an out-of-bounds read in X509_cmp_time, a PKCS7 crash with missing EnvelopedContent, an infinite loop in the CMS code when verifying a signedData message with an unknown hash function OID, and a race condition handling NewSessionTicket.


Invalid free in DTLS

06/12/15
CVE 2014-8176
OpenSSL prior to 0.9.8za, 1.0.0m, and 1.0.1h is affected by a memory corruption vulnerability due to an invalid free. The vulnerability occurs if a DTLS peer receives application data between the ChangeCipherSpec and Finished messages.


Multiple Vulnerabilities Fixed in OpenSSL 1.0.2a, 1.0.1m, 1.0.0r, and 0.9.8zf

03/20/15
CVE 2015-0207 CVE 2015-0208 CVE 2015-0209 CVE 2015-0285 CVE 2015-0286
CVE 2015-0287 CVE 2015-0288 CVE 2015-0289 CVE 2015-0290 CVE 2015-0291
CVE 2015-0292 CVE 2015-0293 CVE 2015-1787
OpenSSL versions before 0.9.8zf, 1.0.0 before 1.0.0r, and 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a are prone to multiple vulnerabilities. The vulnerabilities exist due to the following:


Multiple Vulnerabilities Fixed in OpenSSL 1.0.1k, 1.0.0p, and 0.9.8zd

01/12/15
CVE 2015-0204 CVE 2015-0205 CVE 2015-0206 CVE 2014-3569 CVE 2014-3570
CVE 2014-3571 CVE 2014-3572 CVE 2014-8275
OpenSSL versions before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k are prone to multiple vulnerabilities. The vulnerabilities exist due to the following:


Multiple Vulnerabilities Fixed in OpenSSL 1.0.1j, 1.0.0o, and 0.9.8zc

10/22/14
CVE 2014-3513 CVE 2014-3566 CVE 2014-3567 CVE 2014-3568
OpenSSL versions prior to 1.0.1j, 1.0.0o, and 0.9.8zc are prone to multiple vulnerabilities, including denial of service, man-in-the-middle attacks, and compromise a vulnerable system.


Multiple Vulnerabilities Fixed in OpenSSL 1.0.1i, 1.0.0n, and 0.9.8zb

08/11/14
CVE 2014-3505 CVE 2014-3506 CVE 2014-3507 CVE 2014-3508 CVE 2014-3509
CVE 2014-3510 CVE 2014-3511 CVE 2014-3512 CVE 2014-5139
OpenSSL versions prior to 1.0.1i, 1.0.0n, and 0.9.8zb are prone to multiple vulnerabilities, including denial of service attacks, disclosure of sensitive information, and compromise a vulnerable system.


OpenSSL Multiple Vulnerabilities

06/06/14
CVE 2014-0195
CVE 2014-0221
CVE 2014-3470
OpenSSL versions 1.0.1g and prior are prone to multiple vulnerabilities, which can be exploited by attackers to disclose potentially sensitive information, manipulate certain data, cause a DoS (Denial of Service), and compromise a vulnerable system.


OpenSSL CCS Injection

06/06/14
CVE 2014-0224
OpenSSL is affected by a vulnerability in the handling of ChangeCipherSpec (CCS) messages. CCS messages received too early from the client may be processed before a master secret has been established, causing a zero-length master secret to be used. This could allow man-in-the-middle attackers to decrypt or hijack the session.

Exploitation of this vulnerability is most likely in OpenSSL 1.0.1 before 1.0.1h. However, version 1.0.0 before 1.0.0m, and all versions prior to 0.9.8za are also affected.


OpenSSL do_ssl3_write Function NULL Pointer Dereference Vulnerability

05/06/14
CVE 2014-0198
OpenSSL versions 1.0.1g and prior are prone to a vulnerability, which can be exploited by remote attackers to cause a DoS (Denial of Service). The vulnerability exists due to a NULL pointer dereference error in the do_ssl3_write function. The vulnerability can be exploited when SSL_MODE_RELEASE_BUFFERS flag is enabled.


OpenSSL ssl3_read_bytes Function Use-after-free Remote Content Injection

04/24/14
CVE 2010-5298
OpenSSL versions 1.0.1g and prior, when SSL_MODE_RELEASE_BUFFERS is enabled, are vulnerable to remote content injection. The vulnerability is due to a us-after-free error in the ssl3_read_bytes() function in ssl/s3_pkt.c.


OpenSSL "Heartbleed" vulnerability

04/08/14
CVE 2014-0160
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.


OpenSSL ECDSA Nonces Recovery Vulnerability

03/24/14
CVE 2014-0076
OpenSSL versions 1.0.1f and prior are prone to a vulnerability, which can be exploited by malicious, local users to disclose certain sensitive information. The vulnerability exists due to an implementation error in the Elliptic Curve Digital Signature Algorithm (ECDSA). The vulnerability can be exploited to disclose a nonce value and subsequently derive the secret key via the FLUSH+RELOAD Cache side-channel attack.


Multiple Vulnerabilities Fixed in OpenSSL 1.0.1f

01/07/14
CVE 2013-4353
CVE 2013-6449
CVE 2013-6450
OpenSSL are prone to multiple vulnerabilities which can be exploited to cause a denial of service. These vulnerabilities are due to the following:

Note: OpenSSL versions 1.0.1 through 1.0.1e are affected by vulnerability number 1 and vulnerability number 2. OpenSSL versions 1.0.0 through 1.0.0k and versions 1.0.1 through 1.0.1e are affected by vulnerability number 3.


Multiple Vulnerabilities Fixed in OpenSSL 0.9.8y, 1.0.0k, and 1.0.1d

02/08/13
CVE 2012-2686
CVE 2013-0166
CVE 2013-0169
OpenSSL versions prior to 0.9.8y, 1.0.0k, and 1.0.1d are prone to multiple vulnerabilities. These vulnerabilities can be exploited by malicious people to disclose sensitive information or cause DoS (Denial of Service).


TLS Packet Parsing Integer Underflow Denial of Service Vulnerability

05/14/12
CVE 2012-2333
OpenSSL versions prior to 1.0.1c, 1.0.0j, and 0.9.8x are prone to a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) of the application using the library. The vulnerability is caused due to an integer underflow error within the parsing of TLS record length of Datagram Transport Layer Security (DTLS) packets using CBC encryption mode, which can be exploited to cause a crash.


"asn1_d2i_read_bio()" DER Format Data Processing Vulnerability

04/24/12
CVE 2012-2110
CVE 2012-2131
OpenSSL before 0.9.8w, 1.0.1a, and 1.0.0i is prone to a vulnerability, which can be exploited by malicious people to potentially compromise an application using the library. The vulnerability is caused due to a type casting error in the "asn1_d2i_read_bio()" function when processing DER format data and can be exploited to cause a heap-based buffer overflow.


CMS / PKCS #7 Decryption and NULL Pointer Dereference Vulnerabilities

03/19/12
CVE 2012-0884
CVE 2012-1165
OpenSSL before 0.9.8u or 1.0.0h is prone to two vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions and cause a DoS (Denial of Service) in an application using the library.


ASN.1 MIME Header Parsing NULL Pointer Dereference Vulnerability

03/01/12
CVE 2006-7250
OpenSSL 0.9.8t, 1.0.0g, and prior are prone to a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) of the application using the library. The vulnerability is caused due to a NULL-pointer dereference error in the "mime_hdr_cmp()" function when parsing certain MIME headers and can be exploited to cause a crash.


Race Condition vulnerability

02/16/12
CVE 2010-3864
OpenSSL versions 0.9.8f through 0.9.8o, 1.0.0, and 1.0.0a have a race condition in the TLS extension parsing code. The vulnerability might allow remote attackers to execute arbitrary code via client data which triggers a heap-based buffer overflow when multi-threading and internal caching are enabled on a TLS server.


DTLS Denial of Service Vulnerability

01/30/12
CVE 2012-0050
OpenSSL versions 1.0.0f and 0.9.8s are prone to a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service).


Multiple vulnerabilities fixed in OpenSSL 0.9.8s

01/12/12
CVE 2011-4108 CVE 2011-4109 CVE 2011-4576 CVE 2011-4577 CVE 2011-4619
CVE 2012-0027
OpenSSL before 0.9.8s is prone to multiple vulnerabilities, which can be exploited by malicious people to disclose potentially sensitive information, cause a DoS (Denial of Service), and potentially compromise an application using the library.


CRL Bypass and ECDH Denial of Service Vulnerabilities

09/13/11
CVE 2011-3207
CVE 2011-3210
OpenSSL before 1.0.0e is prone to two vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions and cause a DoS (Denial of Service).


ECDSA Timing Attack Vulnerability

05/25/11
CVE 2011-1945
OpenSSL 0.x and 1.x are prone to a vulnerability, which can be exploited by malicious people to disclose potentially sensitive information. The weakness is caused due to the implementation of the Elliptic Curve Digital Signature Algorithm (ECDSA) not properly preventing timing attacks, which can be exploited to e.g. disclose the private key of a TLS server.


OCSP Stapling 'ClientHello' Handshake Message Parsing Security Vulnerability

02/28/11
CVE 2011-0014
OpenSSL 0.9.8h through 0.9.8q and 1.0.0 through 1.0.0c are prone to a security vulnerability that affects Online Certificate Status Protocol (OCSP) stapling. Attackers can exploit this issue to cause a denial-of-service condition in OpenSSL. If OpenSSL is used in an application, parsed OCSP nonce extensions could be used to obtain sensitive information.


Ciphersuite Downgrade vulnerability

12/17/10
CVE 2010-4180
OpenSSL prior to 0.9.8q, and 1.0.0 prior to 1.0.0c, are affected by a vulnerability which could allow the ciphersuite to be downgraded to a weaker one in some cases. The vulnerability is caused by an old bug workaround.


JPAKE Validation Error

12/17/10
CVE 2010-4252
OpenSSL prior to 0.9.8q, and 1.0.0 prior to 1.0.0c, are affected by a vulnerability in the JPAKE implementation. The vulnerability could allow successful validation by someone with no knowledge of the shared secret. Note that JPAKE is not compiled into OpenSSL by default.


EVP_PKEY_verify_recover() Invalid Return Value Security Bypass Vulnerability

06/29/10
CVE 2010-1633
OpenSSL 1.0.0 is prone to a security-bypass vulnerability. Successful exploit may allow attackers to potentially bypass key checks in applications using the affected library.


Cryptographic Message Syntax Memory Corruption Vulnerability

06/29/10
CVE 2010-0742
OpenSSL 0.9.8h through 0.9.8n and OpenSSL 1.0.x prior to 1.0.0a are prone to a remote memory-corruption vulnerability. An attacker can exploit this issue by supplying specially crafted structures to a vulnerable application that uses the affected library. Successfully exploiting this issue can allow the attacker to execute arbitrary code. Failed exploit attempts will result in a denial-of-service condition.


ssl3_get_record() Remote Denial of Service Vulnerability

04/26/10
CVE 2010-0740
OpenSSL versions 0.9.8f through 0.9.8m are prone to a denial-of-service vulnerability caused by a NULL-pointer dereference. An attacker can exploit this issue to crash the affected application, denying service to legitimate users.


dtls1_retrieve_buffered_fragment() Remote Denial of Service Vulnerability

04/14/10
CVE 2010-0433
OpenSSL before 0.9.8n is prone to a denial-of-service vulnerability caused by a NULL-pointer dereference. An attacker can exploit this issue to crash the affected application, denying service to legitimate users.


bn_wexpend() Error Handling Unspecified Vulnerability

04/14/10
CVE 2009-3245
OpenSSL before 0.9.8m is prone to an unspecified vulnerability, due to a NULL return value from bn_wexpand function calls.


Multiple Vendor TLS Protocol Session Renegotiation Security Vulnerability

04/07/10
CVE 2009-3555
Multiple vendors TLS protocol implementations are prone to a security vulnerability related to the session-renegotiation process which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context.


ChangeCipherSpec DTLS Packet Denial of Service Vulnerability

06/24/09
CVE 2009-1386
OpenSSL before 0.9.8i is prone to a denial-of-service vulnerability caused by a NULL-pointer dereference condition. An attacker can exploit this issue to crash the affected application, denying service to legitimate users.


dtls1_retrieve_buffered_fragment() DTLS Packet Denial of Service Vulnerability

06/22/09
CVE 2009-1379
OpenSSL before 1.0.0 Beta 2 is prone to a vulnerability in the dtls1_retrieve_buffered_fragment function in ssl/d1_both.c, that may allow attackers to cause denial-of-service conditions.


DTLS Packets Multiple Denial of Service Vulnerabilities

06/10/09
CVE 2009-1377
CVE 2009-1378
OpenSSL 0.9.8k and prior are prone to multiple vulnerabilities that may allow attackers to cause denial-of-service conditions.


Multiple vulnerabilities fixed in OpenSSL 0.9.8k

04/13/09
CVE 2009-0590
CVE 2009-0591
CVE 2009-0789
OpenSSL before 0.9.8k is prone to multiple vulnerabilities that may allow attackers to trigger denial-of-service conditions or bypass certain security checks.


Security Bypass in version 0.9.8i and earlier

01/12/09
CVE 2008-5077
OpenSSL version 0.9.8i and earlier does not properly check the return value of the EVP_VerifyFinal function which allows attackers to use a malformed SSL/TLS signature to bypass security.


OpenSSL 0.9.8f through 0.9.8h Denial of Service Vulnerabilities

02/09/11
CVE 2008-1678
A flaw was found in the handling of compression structures between mod_ssl and OpenSSL. A remote attacker enabling compression in an SSL handshake could cause a memory leak in the server, leading to a denial of service.


OpenSSL 0.9.8f and 0.9.8g Multiple Denial of Service Vulnerabilities

06/06/08
CVE 2008-0891
CVE 2008-1672
OpenSSL 0.9.8f and 0.9.8g have multiple Denial of Service vulnerabilities. A remote attacker could send a crafted packet to a server application using OpenSSL and cause it to crash (CVE-2008-0891). If a client connects to a malicious server with particular cipher suites, the server could cause the client to crash via a TLS handshake(CVE-2008-1672).


Debian and Ubuntu Random Number Generator Weakness

05/19/08
CVE 2008-0166
Debian and Ubuntu versions of OpenSSL 0.9.8c through 0.9.8f have a vulnerability in the random number generator due to lack of entropy. This makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys.


Off-by one error in DTLS vulnerability

10/26/07
CVE 2007-4995
OpenSSL 0.9.8 prior to 0.9.8f has an off-by-one error in the DTLS implementation that allows remote attackers to execute arbitrary code.


One byte buffer overflow in the SSL_get_shared_ciphers function

10/04/07
CVE 2007-5135
OpenSSL versions 0.9.7l, 0.9.8d, and 0.9.8e have a one-byte buffer overflow caused by the fix for CVE 2006-3738 to the SSL_get_shared_ciphers vulnerability.


BN_from_montgomery side-channel attack

08/10/07
CVE 2007-3108
OpenSSL versions of 0.9.8 up to and including 0.9.8e have an error in the BN_from_montgomery function in crypto/bn/bn_mont.c where Montgomery multiplication is not properly performed. This might allow local users to conduct a side-channel attack and retrieve RSA private keys.


Multiple vulnerabilities fixed by OpenSSL 0.9.7l/0.9.8d

10/03/06
CVE 2006-2937
CVE 2006-2940
CVE 2006-3738
CVE 2006-4343
OpenSSL versions 0.9.7l and 0.9.8d fixed multiple vulnerabilities, including two denial-of-service vulnerabilities in parsing ASN.1 data, a buffer overflow in the SSL_get_shared_ciphers function, and a client denial of service when OpenSSL is used to created an SSLv2 connection.


RSA signature forgery for exponent 3

09/11/06
CVE 2006-4339
OpenSSL when using an RSA key with exponent 3, removes PKCS-1 padding before generating a hash. This allows remote attackers to forge a PKCS #1 v1.5 signature. Versions before 0.9.7, 0.9.7 before 0.9.7k and 0.9.8 before 0.9.8c are vulnerable.


Potential SSL 2.0 Rollback

10/18/05
CVE 2005-2969
OpenSSL versions prior to 0.9.7h and 0.9.8a have a vulnerability if the SSL_OP_MSIE_SSLV2_RSA_PADDING option is set. This option is set by the SSL_OP_ALL option , which is intended to work around various bugs in third-party software that might prevent interoperability. In the event that this option is set, the verification steps necessary to prevent the use of SSL 2.0 can be disabled. The SSL 2.0 protocol is known to have severe cryptographic weaknesses and is supported only as a fallback.


Null-pointer Assignment During SSL Handshake

03/17/04
CVE 2004-0079
The assignment of a value to a null pointer in the do_change_cipher_spec function could allow a remote attacker to crash OpenSSL by sending a specially crafted SSL/TLS handshake to an application using OpenSSL. Depending upon the application, this attack could lead to a denial of service. OpenSSL 0.9.6c through 0.9.6l and 0.9.7a through 0.9.7c are affected by this vulnerability.


Out-of-bounds Read Affecting Kerberos Ciphersuites

03/17/04
CVE 2004-0112
A flaw in the SSL/TLS handshaking code when using Kerberos ciphersuites could allow a remote attacker to crash OpenSSL by sending a specially crafted SSL/TLS handshake to an application configured to use Kerberos ciphersuites. OpenSSL 0.9.7a through 0.9.7c are affected by this vulnerability if used in applications which use Kerberos ciphersuites.


Unknown Message Type denial of service

03/23/04
CVE 2004-0081
Due to a flaw in the handling of unknown message types, a remote attacker could cause OpenSSL to enter an endless loop, which could result in a denial of service to the application using OpenSSL. OpenSSL prior to version 0.9.6d is affected by this vulnerability.


Windows-based Recursion Denial of Service

11/07/03
CVE 2003-0851
A bug in OpenSSL 0.9.6k (and probably earlier) allows certain ASN.1 sequences to trigger a large recursion. On platforms such as Windows, this large recursion causes OpenSSL to crash. A remote attacker could exploit this flaw if he or she can send arbitrary ASN.1 sequences that would cause OpenSSL to crash, e.g., by sending a client certificate to a SSL/TLS enabled server that is configured to accept them.


Encoding Errors in ASN.1 Library

OpenSSL uses a library which performs Abstract Syntax Notation 1 (ASN.1) encoding, which is an international standard for transmitting data between applications. This library contains multiple errors which can be exploited to produce a denial of service. In one case, there is a possibility of an attacker executing arbitrary code.

Due to an error in the SSL/TLS protocol handling, a server will parse a client certificate when one is not specifically requested. This means that all SSL/TLS servers that use OpenSSL can be attacked using any of the first three vulnerabilities below, even if client authentication is disabled.

Related CVE entry:
CVE 2005-1730 Novell iManager


OpenSSL 0.9.6e denial of service

10/09/03
CVE 2002-1568
A die command in the OpenSSL library prior to OpenSSL 0.9.6f could allow a remote attacker to terminate Apache or any other OpenSSL-enabled service by sending a specially crafted SSLv2 CLIENT_MASTER_KEY message.


Multiple vulnerabilities in OpenSSL prior to 0.9.6e

07/31/02
OpenSSL versions prior to 0.9.6e (and pre-release versions prior to 0.9.7 beta 2) are affected by multiple vulnerabilities which could allow remote execution of commands or denial of service:


CBC Timing Vulnerability

03/04/03
CVE 2003-0078
A weakness in OpenSSL's implementation of CBC-mode ciphers could allow a remote attacker to decrypt data passing over the network. By sending specially crafted ciphertext blocks in place of legitimate ciphertext blocks and measuring the time it takes to receive a response, an attacker could gain enough information to decrypt any information that is sent repeatedly over the network.

OpenSSL prior to 0.9.6i, and OpenSSL 0.9.7 prior to 0.9.7a are affected by this vulnerability if CBC mode is used. Exploitation would be very difficult and would require the ability to intercept legitimate traffic containing hundreds of blocks with low network latency.


RSA Timing Vulnerability

03/20/03
CVE 2003-0147
This is another timing attack. A remote attacker could recover the RSA secret key from OpenSSL if RSA blinding is turned off, which is the usual configuration. OpenSSL 0.9.7a and 0.9.6i are affected by this vulnerability.


Cryptographic Flaw in PRNG

CVE 2001-1141
A flaw in OpenSSL prior to 0.9.6b could allow an attacker to determine the internal state of the pseudo-random number generator (PRNG) by sending a number of one-byte requests to the PRNG, thus allowing the attacker to predict future random numbers. This vulnerability is not exploitable in Apache or any other known applications which use the OpenSSL library because they do not make one-byte requests to the PRNG. However, this is still a weakness in the cryptography and should be addressed.

Resolution

OpenSSL should be upgraded to version 3.3.1 for 3.3.x 3.2.2 for 3.2.x, 3.1.6 for 3.1.x, 3.0.14 for 3.0.x,when available.

Note: Premium support customers of OpenSSL for 1.1.1 should upgrade to version 1.1.1y or higher and 1.0.2 should upgrade to 1.0.2zj.

VERSIONS 1.1.0, 1.0.3, 1.0.1, 1.0.0, AND 0.9.8 VERSIONS HAVE REACHED EOL AND NO MORE SECURITY FIXES WILL BE PROVIDED. USERS ARE ADVISED TO UPGRADE TO LATER VERSIONS.

Since the overflow bug in the AVX2 Montgomery multiplication procedure is considered low severity, a new release of OpenSSL 1.1.0 at this time is not issued. The fix will be included in OpenSSL 1.1.0h when it becomes available. The fix is also available in commit e502cc86d in the OpenSSL git repository.

For the OpenSSL Triple-DES Cipher Block Collision Vulnerability, OpenSSL has mitigated the issue:

Recompile any OpenSSL applications statically linked to OpenSSL libraries. Another option is to install a fix from your vendor.

Apply a patch or, as a workaround, recompile OpenSSL with -DOPENSLL_NO_BUF_FREELIST.

The random number generator weakness for the Debian and Ubuntu platform should be patched.

Where can I read more about this?

The OpenSSL Security Advisory for 28 May 2024 was reported in 20240528.

The OpenSSL Security Advisory for 16 May 2014 was reported in 20240516.

The OpenSSL Security Advisory for 8 April 2024 was reported in 20240408.

The OpenSSL Security Advisory for 25 January 2024 was reported in 20240125.

The OpenSSL Security Advisory for 9 January 2024 was reported in 20240109.

The OpenSSL Security Advisory for 6 November 2023 was reported in 20231106.

The OpenSSL Security Advisory for 24 October 2023 was reported in 20231024.

The OpenSSL Security Advisory for 8 September 2023 was reported in 20230908.

The Excessive time spent checking DH keys and q parameter values were reported in 20230719 and 20230731.

The OpenSSL Security Advisory for 14 July 2023 was reported in 20230714.

The OpenSSL Security Advisory for 30 May 2023 was reported in 20230530.

For more information on the OpenSSL Security Advisory for 20 April 2023, see 20230420.

For more information on the OpenSSL Security Advisory for 28 March 2023, see 20230328.

For more information on the OpenSSL Security Advisory for 22 March 2023, see 20230322.

For more information on the OpenSSL Security Advisory for 07 February 2023, see 20230207.

For more information on the X.509 Policy Constraints Double Locking, see 20221213.

For more information on the OpenSSL Security Advisory for 11 October 2022, see 20221101.

For more information on the OpenSSL Security Advisory for 11 October 2022, see 20221011.

For more information on the OpenSSL Security Advisory for 05 July 2022, see 20220705.

For more information on the OpenSSL Security Advisory for 22 June 2022, see commit 4d8a88c134df634ba610ff8db1eb8478ac5fd345.

For more information on the OpenSSL Security Advisory for 21 June 2022, see 20220621.

The Security Advisory for 03 March 2022 as reported in 20220503.

The Security Advisory for 15 March 2022 was reported in CVE-2022-0778.

The Security Advisory for 28 January 2022 was reported in CVE-2021-4160.

The Security Advisory for 14 December 2022 was reported in CVE-2021-4160.

For more information on the OpenSSL Security Advisory for 24 August 2021, see 20210824.

For more information on the OpenSSL Security Advisory for 25 March 2021, see 20210325.

For more information on the OpenSSL Security Advisory for 16 February 2021, see 20210216.

The Security Advisory for 08 December 2020 was reported in OpenSSL Security Advisory 08 December 2020.

The Security Advisory for 21 September 2020 was reported in OpenSSL Security Advisory 21 September 2020.

The Security Advisory for 21 April 2020 was reported in OpenSSL Security Advisory 21 April 2020.

For the OpenSSL Security Advisory for 6 December 2019, see OpenSSL Security Advisory 6 December 2019.

For the OpenSSL Security Advisory for September 2019 fixed multiple vulnerabilities, see OpenSSL Security Advisory 10 September 2019.

For the OpenSSL OPENSSLDIR privilege elevation vulnerability (CVE-2019-1552), see OpenSSL Security Advisory 30 July 2019.

For the OpenSSL ChaCha20-Poly1305 with long nonces vulnerability, see OpenSSL Security Advisory 6 March 2019.

For the OpenSSL 0-byte record padding oracle vulnerability, see OpenSSL Security Advisory 26 February 2019.

For the OpenSSL on SMT/Hyper-Threading architectures side-channel vulnerability, see CVE-2018-5407.

For the OpenSSL signature algorithm vulnerabilities, see OpenSSL Security Advisory 30 October 2018 and OpenSSL Security Advisory 29 October 2018.

For the OpenSSL Client Denial of Service Vulnerability, see OpenSSL Security Advisory 12 June 2018.

The OpenSSL Cache timing vulnerability in RSA Key Generation was reported in OpenSSL Security Advisory 16 Apr 2018.

The two vulnerabilities fixed in OpenSSL 1.1.0h were reported in OpenSSL Security Advisory 27 Mar 2018.

The two vulnerabilities fixed in OpenSSL 1.0.2n were reported in OpenSSL Security Advisory 07 Dec 2017.

The two vulnerabilities fixed in OpenSSL 1.0.2m and 1.1.0g were reported in OpenSSL Security Advisory 02 Nov 2017.

The vulnerability in Encrypt-Then-Mac renegotiation fixed in OpenSSL was posted in OpenSSL Security Advisory 16 Feb 2017.

The multiple vulnerabilities fixed in OpenSSL Security Advisory 20170126 were reported in OpenSSL Security Advisory 26 Jan 2017.

The OpenSSL ECDSA P-256 timing attack key recovery vulnerability was reported in CVE-2016-7056.

The OpenSSL Security Advisory 20161110 were reported in OpenSSL Security Advisory 10 Nov 2016.

The OpenSSL Security Advisory 20160922 were reported in OpenSSL Security Advisory 22 Sep 2016, CVE-2016-6309, and CVE-2016-7052.

The OpenSSL Triple-DES Cipher Block Collision Vulnerability was reported in Changes between 1.0.2h and 1.1.0, Changes between 1.0.2h and 1.0.2i, and Changes between 1.0.1t and 1.0.1u.

The BN_bn2dec() vulnerability in OpenSSL was reported in CVE-2016-2182.

The OpenSSL DTLS replay protection bypass causing denial of service was reported in CVE-2016-2181.

The OpenSSL DTLS buffered messages denial of service vulnerability was reported in CVE-2016-2179.

The OpenSSL non-constant time codepath vulnerability was reported in CVE-2016-2178.

The OpenSSL integer overflow vulnerability was reported in CVE-2016-2177.

The OpenSSL Security Advisory 20160503 was reported in OpenSSL Security Advisory 20160503.

The multiple vulnerabilities fixed in OpenSSL 1.0.2g and 1.0.1s were reported in OpenSSL Security Advisory 1 Mar 2016.

The two vulnerabilities fixed in OpenSSL 1.0.2f and 1.0.1r were reported in OpenSSL Security Advisory 28 Jan 2016.

The multiple vulnerabilities fixed in OpenSSL 1.0.2e, 1.0.1q, 1.0.0t, and 0.9.8zh were reported in OpenSSL Security Advisory 3 Dec 2015.

The alternative chains certificate forgery was reported in OpenSSL Security Advisory 9 July 2015.

The vulnerabilities fixed in OpenSSL 1.0.2b, 1.0.1n, 1.0.0s, and 0.9.8zg and the invalid free in DTLS were reported in an OpenSSL Security Advisory.

The multiple vulnerabilities fixed in OpenSSL 1.0.2a, 1.0.1m, 1.0.0r, and 0.9.8zf were reported in OpenSSL Security Advisory 20150319.

The multiple vulnerabilities fixed in OpenSSL 1.0.1k, , 1.0.0p, and 0.9.8zd were reported in OpenSSL Security Advisory 20150108.

The vulnerabilities fixed in OpenSSL 1.0.1j, 1.0.0o, and 0.9.8zc were reported in OpenSSL Security Advisory 20141015.

The vulnerabilities fixed in OpenSSL 1.0.1i, 1.0.0n, and 0.9.8zb were reported in OpenSSL Security Advisory 20140806.

The OpenSSL multiple vulnerabilities were reported in OpenSSL Security Advisory 20140605.

For a discussion of the CCS injection vulnerability, see ImperialViolet.

The OpenSSL do_ssl3_write function NULL pointer dereference vulnerability was reported in s3_pkt.c.

The OpenSSL ssl3_read_bytes() function use-after-free vulnerability was reported in OSVDB 105763. The OpenSSL "Heartbleed" vulnerability was reported in openssl-heartbleed-bug-live-blog.

The OpenSSL ECDSA Nonces Recovery Vulnerability was reported in Bugtraq.

The multiple vulnerabilities fixed in OpenSSL 1.0.1f were reported in SecurityTracker ID 1029548, SecurityTracker ID 1031594, and OpenSSL vulnerabilities.

The multiple vulnerabilities fixed in OpenSSL 0.9.8y, 1.0.0k, and 1.0.1d were reported in Bugtraq, Bugtraq, and SecurityTracker ID 1029190.

The TLS Packet Parsing Integer Underflow Denial of Service vulnerability was reported in SecurityTracker ID 1027057.

The OpenSSL "asn1_d2i_read_bio()" DER Format Data Processing vulnerability was reported in SecurityTracker ID 1026957.

The CMS / PKCS #7 Decryption and NULL Pointer Dereference vulnerabilities were reported in Bugtraq and SecurityTracker ID 1026787.

The ASN.1 MIME Header Parsing NULL Pointer Dereference vulnerability was reported in Bugtraq.

The Race Condition vulnerability was reported in SecurityTracker ID 1024743.

The DTLS Denial of Service vulnerability was reported in SecurityTracker ID 1026548.

The multiple vulnerabilities fixed in OpenSSL 0.9.8s were reported in Bugtraq, Bugtraq, and Bugtraq.

The CRL Bypass and ECDH Denial of Service vulnerabilities were reported in SecurityTracker ID 1026012.

The ECDSA Timing Attack vulnerability was reported in Secunia Advisory SA44572.

The OCSP Stapling 'ClientHello' Handshake Message Parsing Security vulnerability was reported in Bugtraq ID 46264.

The ciphersuite downgrade vulnerability and the JPAKE validation error were reported in OpenSSL Security Advisory - 2 December 2010.

The EVP_PKEY_verify_recover() Invalid Return Value Security Bypass vulnerability was reported in Bugtraq ID 40503.

The Cryptographic Message Syntax Memory Corruption vulnerability was reported in Bugtraq ID 40502.

The ssl3_get_record() Remote Denial of Service vulnerability was reported in Bugtraq ID 39013.

The dtls1_retrieve_buffered_fragment() Remote Denial of Service vulnerability was reported in Bugtraq ID 38533.

The bn_wexpend() Error Handling unspecified vulnerability was reported in Bugtraq ID 38562.

The Multiple Vendor TLS Protocol Session Renegotiation Security vulnerability was reported in Bugtraq ID 36935.

The ChangeCipherSpec DTLS Packet Denial of Service vulnerability was reported in Bugtraq ID 35174.

The dtls1_retrieve_buffered_fragment() DTLS Packet Denial of Service vulnerability was reported in Bugtraq ID 35138.

The DTLS Packets multiple Denial of Service vulnerabilities were reported in Bugtraq ID 35001.

The multiple vulnerabilities fixed in OpenSSL 0.9.8k were reported in Bugtraq ID 34256.

The Security Bypass in version 0.9.8i and earlier was reported in Ocert Advisory 2008-016.

The OpenSSL Compression Memory Leak Remote Denial of Service Vulnerability was reported in Bugtraq ID 31692.

The OpenSSL 0.9.8f and 0.9.8g multiple Denial of Service vulnerabilities were reported in Bugtraq ID 29405.

The Debian and Ubuntu random number generator weakness was reported in SecurityTracker ID 1020017.

The off-by-one DTLS implementation vulnerability was reported in SecurityTracker ID 1018810.

The one byte buffer overflow in the SSL_get_shared_ciphers function was reported in SecurityTracker ID 1018755 and SecurityTracker ID 1017522.

The BN_from_montgomery side-channel attack vulnerability was reported in Bugtraq ID 25163.

The vulnerabilities corrected by OpenSSL 0.9.7l and 0.9.8d were reported in an OpenSSL security advisory.

The RSA signature forgery for exponent 3 vulnerability was reported in OpenSSL security advisory. Additional information on the vulnerability can be found at ietf-openpgp msg14307.

The Potential SSL 2.0 Rollback vulnerability was reported in an OpenSSL security advisory.

The null-pointer assignment and out-of-bounds read vulnerabilities were reported in US-CERT advisory TA04-078A and an OpenSSL security advisory.

The Windows-based recursion denial-of-service vulnerability was reported in a Bugtraq posting and confirmed in an OpenSSL Advisory.

The recent batch of ASN.1 encoding errors were reported in CERT Advisory 2003-26 and an OpenSSL Advisory.

The buffer overflows and older ASN.1 encoding errors were reported in CERT Advisory 2002-23 and an OpenSSL Advisory.

The denial-of-service vulnerability in OpenSSL 0.9.6e was posted to Bugtraq.

The PRNG vulnerability was reported in an OpenSSL Advisory.

The CBC vulnerability was reported in another OpenSSL Advisory.

The RSA timing vulnerability was reported in another OpenSSL Advisory and in the paper Remote Timing Attacks are Practical by Dan Boneh and David Brumley.