OpenSSL Security Advisory 20160301 - A cross-protocol attack was discovered that could lead to decryption of TLS sessions by using a server supporting SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA padding oracle. Note that traffic between clients and non-vulnerable servers can be decrypted provided another server supporting SSLv2 and EXPORT ciphers (even with a different protocol such as SMTP, IMAP or POP) shares the RSA keys of the non-vulnerable server. This vulnerability is known as DROWN (CVE-2016-0800). Other issues were also addressed.
01a1884d87908b83b7d1ea8457725884e3808b62f9b3c4b5d54e2a07a55e9dd8
OpenSSL Security Advisory 20240125 - Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack
122bc2210b0d7b2b8983382412d0e712d4d63cfd3b44a579f3f8053a9415b2a2
OpenSSL Security Advisory 20240115 - Checking excessively long invalid RSA public keys may take a long time.
176c18b9e5ea6214b9abf1fe76a21e3e5746b145cd308a603d8dc4b895b269ff
OpenSSL Security Advisory 20240109 - The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications running on PowerPC CPU based platforms if the CPU provides vector instructions.
96d61a8c58cb14bf75cc794f7eb487fcc526fb0873fe97c3c9779d86fc65cb31
OpenSSL Security Advisory 20231106 - Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow.
571f986ddee0d0a3c6499ab09f34a768ad263d9979a6441ec9fe524febb124a3
OpenSSL Security Advisory 20231024 - A bug has been identified in the processing of key and initialisation vector (IV) lengths. This can lead to potential truncation or overruns during the initialisation of some symmetric ciphers.
f4d3485a23985abf9c4d8cc118c959af0f23c7e3e3cd388642bad93425715bd6
OpenSSL Security Advisory 20230908 - The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications on the Windows 64 platform when running on newer X86_64 processors supporting the AVX512-IFMA instructions.
d6e94a3126e644bbaa13389ba335ceeae5306ba99c3e42bf3217ce69144d0f9c
OpenSSL Security Advisory 20230731 - Checking excessively long DH keys or parameters may be very slow.
b497bf3e1c45020f0f227205c740557918c2fef680976bc3d389ede0493cb6b1
OpenSSL Security Advisory 20230719 - Checking excessively long DH keys or parameters may be very slow.
317d782978ef6b0abc3f22eb5afa9d3557d2e60a10438b7019257e55a88ad3b0
OpenSSL Security Advisory 20230714 - The AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries which are unauthenticated as a consequence.
533eb47fbd60f88ad1ad3c18b56350b6804b9be10b8c81fe9a8f322433dad421
OpenSSL Security Advisory 20230530 - Processing some specially crafted ASN.1 object identifiers or data containing them may be very slow. Applications that use OBJ_obj2txt() directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit may experience notable to very long delays when processing those messages, which may lead to a denial of service.
b6e55e05830de14ac3c49c8cd590cf768a53232601f6b368a7e7f5592107d724
OpenSSL Security Advisory 20230420 - The AES-XTS cipher decryption implementation for 64 bit ARM platform contains a bug that could cause it to read past the input buffer, leading to a crash.
aafe0dcb9955f2ea6be0373a336c5f4cdd6794acce536fbb2b3c3d6df1f2a3bc
OpenSSL Security Advisory 20230328 - Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Other issues were also addressed.
45f093de13d28951a80600fc57f75878cc0706b4029a8f138eace8cbf3ce7b22
OpenSSL Security Advisory 20230322 - A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems.
7b03359b9fc8f357f8b0fd5e0e7a05a04c2c8ac49b1018bb2ee2e59b2b1927b3
OpenSSL Security Advisory 20230207 - Security issues addressed in OpenSSL include X.400 address type confusion in X.509 GeneralName, a timing oracle in RSA decryption, a X.509 Name Constraints read buffer overflow, a use-after-free following BIO_new_NDEF, a double-free after calling PEM_read_bio_ex, an invalid pointer dereference in d2i_PKCS7 functions, a NULL dereference validating DSA public key, and a NULL dereference during PKCS7 data verification.
16370d8b2cce80bd47b575da9533d376c1ce8d49fd8cfdffe9f131d46a43f157
OpenSSL Security Advisory 20221101 - A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Other issues were also addressed.
f5b2b5456475218f21e11c204399e21895e40c447a1a4638df485d020701c36b
OpenSSL Security Advisory 20221011 - OpenSSL supports creating a custom cipher via the legacy EVP_CIPHER_meth_new() function and associated function calls. This function was deprecated in OpenSSL 3.0 and application authors are instead encouraged to use the new provider mechanism in order to implement custom ciphers.
aadb390fbd7e2bcc00d540add897aa39dfdb2d092990e9cefb0734a56be6270e
OpenSSL Security Advisory 20220705 - The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation. Other issues were also addressed.
77cb83743e1a820453bd06ea0f03f1f8f2401440b4f893084cdc8d178540f4c6
OpenSSL Security Advisory 20220621 - In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review.
a632f42aad9bc1de330d7aef358f76b215a0921218449031cf1f2077b68dff3a
OpenSSL Security Advisory 20220503 - The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Other issues were also addressed.
da0a32c3df546638b4876fba11798d7c64bce5b0a32daab04ad8becaec7a0d51
OpenSSL Security Advisory 20220315 - The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli.
97c5904876a905acc4d7f195f7788f52cfa359a5eeadd2582d509cff8719fac6
OpenSSL Security Advisory 20220128 - There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH private key among multiple clients, which is no longer an option since CVE-2016-0701.
9383b0cde7f5a7a29255898a505a908a2012ed0523afb1a778544fce277e37da
OpenSSL Security Advisory 20211214 - Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory). Such a negative return value is mishandled by OpenSSL and will cause an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate success and a subsequent call to SSL_get_error() to return the value SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be returned by OpenSSL if the application has previously called SSL_CTX_set_cert_verify_callback(). Since most applications do not do this the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be totally unexpected and applications may not behave correctly as a result. The exact behaviour will depend on the application but it could result in crashes, infinite loops or other similar incorrect responses.
78db018aae32942c3ccf7373e8c51e9595c7602b17e7724cf67f204ce2089d36
OpenSSL Security Advisory 20210824 - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. Other issues were also addressed.
66334c85ddd9c930da8fe00ca3eaff4182ef23553e0a3eadf85842e9a513e5bb
OpenSSL Security Advisory 20210325 - The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Other issues were also addressed.
55d25269ba150b01444f96b032ec37fee3669c70ad7324bb78b23f604cf1aed7
OpenSSL Security Advisory 20210216 - The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. Other issues were also addressed.
30fecce45189fbb6c13d7b9ef464c081530b0c13a73687a10fc90f4689b57bd1