[openssl-commits] [web] master update
Matt Caswell
matt at openssl.org
Thu Mar 19 13:57:31 UTC 2015
The branch master has been updated
via 6c8d1f82eb0d6b290cca7daed4e0095b462b04af (commit)
from 0eae3397eac95c6b243a822668c6e8a2c24d5be8 (commit)
- Log -----------------------------------------------------------------
commit 6c8d1f82eb0d6b290cca7daed4e0095b462b04af
Author: Matt Caswell <matt at openssl.org>
Date: Thu Mar 19 13:49:38 2015 +0000
Updates for new release
-----------------------------------------------------------------------
Summary of changes:
news/newsflash.txt | 4 +
news/secadv_20150319.txt | 332 +++++++++++++++++++++++++
news/vulnerabilities.xml | 633 ++++++++++++++++++++++++++++++++++++++++++++++-
3 files changed, 958 insertions(+), 11 deletions(-)
create mode 100644 news/secadv_20150319.txt
diff --git a/news/newsflash.txt b/news/newsflash.txt
index b429a49..b596da0 100644
--- a/news/newsflash.txt
+++ b/news/newsflash.txt
@@ -1,3 +1,7 @@
+19-Mar-2015: <a href="ROOT/news/secadv_20150319.txt">Security Advisory</a>: twelve security fixes
+19-Mar-2015: OpenSSL 1.0.1m is now <a href="ROOT/source/">available</a>, including bug and security fixes
+19-Mar-2015: OpenSSL 1.0.0r is now <a href="ROOT/source/">available</a>, including bug and security fixes
+19-Mar-2015: OpenSSL 0.9.8zf is now <a href="ROOT/source/">available</a>, including bug and security fixes
22-Jan-2015: OpenSSL 1.0.2 is now <a href="ROOT/source/">available</a>, a major release
15-Jan-2015: New releases to resolve Windows/OpenVMS compilation problems:
15-Jan-2015: OpenSSL 1.0.1l is now <a href="ROOT/source/">available</a>, including bug fixes
diff --git a/news/secadv_20150319.txt b/news/secadv_20150319.txt
new file mode 100644
index 0000000..002736d
--- /dev/null
+++ b/news/secadv_20150319.txt
@@ -0,0 +1,332 @@
+OpenSSL Security Advisory [19 Mar 2015]
+=======================================
+
+OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291)
+=====================================================
+
+Severity: High
+
+If a client connects to an OpenSSL 1.0.2 server and renegotiates with an
+invalid signature algorithms extension a NULL pointer dereference will occur.
+This can be exploited in a DoS attack against the server.
+
+This issue affects OpenSSL version: 1.0.2
+
+OpenSSL 1.0.2 users should upgrade to 1.0.2a.
+
+This issue was was reported to OpenSSL on 26th February 2015 by David Ramos
+of Stanford University. The fix was developed by Stephen Henson and Matt
+Caswell of the OpenSSL development team.
+
+Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)
+============================================================================
+
+Severity: High
+
+This security issue was previously announced by the OpenSSL project and
+classified as "low" severity. This severity rating has now been changed to
+"high".
+
+This was classified low because it was originally thought that server RSA
+export ciphersuite support was rare: a client was only vulnerable to a MITM
+attack against a server which supports an RSA export ciphersuite. Recent
+studies have shown that RSA export ciphersuites support is far more common.
+
+This issue affects OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.
+
+OpenSSL 1.0.1 users should upgrade to 1.0.1k.
+OpenSSL 1.0.0 users should upgrade to 1.0.0p.
+OpenSSL 0.9.8 users should upgrade to 0.9.8zd.
+
+This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan
+Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen
+Henson of the OpenSSL core team. It was previously announced in the OpenSSL
+security advisory on 8th January 2015.
+
+Multiblock corrupted pointer (CVE-2015-0290)
+============================================
+
+Severity: Moderate
+
+OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This feature
+only applies on 64 bit x86 architecture platforms that support AES NI
+instructions. A defect in the implementation of "multiblock" can cause OpenSSL's
+internal write buffer to become incorrectly set to NULL when using non-blocking
+IO. Typically, when the user application is using a socket BIO for writing, this
+will only result in a failed connection. However if some other BIO is used then
+it is likely that a segmentation fault will be triggered, thus enabling a
+potential DoS attack.
+
+This issue affects OpenSSL version: 1.0.2
+
+OpenSSL 1.0.2 users should upgrade to 1.0.2a.
+
+This issue was reported to OpenSSL on 13th February 2015 by Daniel Danner and
+Rainer Mueller. The fix was developed by Matt Caswell of the OpenSSL development
+team.
+
+Segmentation fault in DTLSv1_listen (CVE-2015-0207)
+===================================================
+
+Severity: Moderate
+
+The DTLSv1_listen function is intended to be stateless and processes the initial
+ClientHello from many peers. It is common for user code to loop over the call to
+DTLSv1_listen until a valid ClientHello is received with an associated cookie. A
+defect in the implementation of DTLSv1_listen means that state is preserved in
+the SSL object from one invocation to the next that can lead to a segmentation
+fault. Errors processing the initial ClientHello can trigger this scenario. An
+example of such an error could be that a DTLS1.0 only client is attempting to
+connect to a DTLS1.2 only server.
+
+This issue affects OpenSSL version: 1.0.2
+
+OpenSSL 1.0.2 DTLS users should upgrade to 1.0.2a.
+
+This issue was reported to OpenSSL on 27th January 2015 by Per Allansson. The
+fix was developed by Matt Caswell of the OpenSSL development team.
+
+Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286)
+===================================================
+
+Severity: Moderate
+
+The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is
+made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check
+certificate signature algorithm consistency this can be used to crash any
+certificate verification operation and exploited in a DoS attack. Any
+application which performs certificate verification is vulnerable including
+OpenSSL clients and servers which enable client authentication.
+
+This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and 0.9.8.
+
+OpenSSL 1.0.2 users should upgrade to 1.0.2a
+OpenSSL 1.0.1 users should upgrade to 1.0.1m.
+OpenSSL 1.0.0 users should upgrade to 1.0.0r.
+OpenSSL 0.9.8 users should upgrade to 0.9.8zf.
+
+This issue was discovered and fixed by Stephen Henson of the OpenSSL
+development team.
+
+Segmentation fault for invalid PSS parameters (CVE-2015-0208)
+=============================================================
+
+Severity: Moderate
+
+The signature verification routines will crash with a NULL pointer
+dereference if presented with an ASN.1 signature using the RSA PSS
+algorithm and invalid parameters. Since these routines are used to verify
+certificate signature algorithms this can be used to crash any
+certificate verification operation and exploited in a DoS attack. Any
+application which performs certificate verification is vulnerable including
+OpenSSL clients and servers which enable client authentication.
+
+This issue affects OpenSSL version: 1.0.2
+
+OpenSSL 1.0.2 users should upgrade to 1.0.2a
+
+This issue was was reported to OpenSSL on 31st January 2015 by Brian Carpenter
+and a fix developed by Stephen Henson of the OpenSSL development team.
+
+ASN.1 structure reuse memory corruption (CVE-2015-0287)
+=======================================================
+
+Severity: Moderate
+
+Reusing a structure in ASN.1 parsing may allow an attacker to cause
+memory corruption via an invalid write. Such reuse is and has been
+strongly discouraged and is believed to be rare.
+
+Applications that parse structures containing CHOICE or ANY DEFINED BY
+components may be affected. Certificate parsing (d2i_X509 and related
+functions) are however not affected. OpenSSL clients and servers are
+not affected.
+
+This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0
+and 0.9.8.
+
+OpenSSL 1.0.2 users should upgrade to 1.0.2a
+OpenSSL 1.0.1 users should upgrade to 1.0.1m.
+OpenSSL 1.0.0 users should upgrade to 1.0.0r.
+OpenSSL 0.9.8 users should upgrade to 0.9.8zf.
+
+This issue was discovered by Emilia Käsper and a fix developed by
+Stephen Henson of the OpenSSL development team.
+
+PKCS7 NULL pointer dereferences (CVE-2015-0289)
+===============================================
+
+Severity: Moderate
+
+The PKCS#7 parsing code does not handle missing outer ContentInfo correctly.
+An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
+missing content and trigger a NULL pointer dereference on parsing.
+
+Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or
+otherwise parse PKCS#7 structures from untrusted sources are
+affected. OpenSSL clients and servers are not affected.
+
+This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0
+and 0.9.8.
+
+OpenSSL 1.0.2 users should upgrade to 1.0.2a
+OpenSSL 1.0.1 users should upgrade to 1.0.1m.
+OpenSSL 1.0.0 users should upgrade to 1.0.0r.
+OpenSSL 0.9.8 users should upgrade to 0.9.8zf.
+
+This issue was reported to OpenSSL on February 16th 2015 by Michal
+Zalewski (Google) and a fix developed by Emilia Käsper of the OpenSSL
+development team.
+
+Base64 decode (CVE-2015-0292)
+=============================
+
+Severity: Moderate
+
+A vulnerability existed in previous versions of OpenSSL related to the
+processing of base64 encoded data. Any code path that reads base64 data from an
+untrusted source could be affected (such as the PEM processing routines).
+Maliciously crafted base 64 data could trigger a segmenation fault or memory
+corruption. This was addressed in previous versions of OpenSSL but has not been
+included in any security advisory until now.
+
+This issue affects OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.
+
+OpenSSL 1.0.1 users should upgrade to 1.0.1h.
+OpenSSL 1.0.0 users should upgrade to 1.0.0m.
+OpenSSL 0.9.8 users should upgrade to 0.9.8za.
+
+The fix for this issue can be identified by commits d0666f289a (1.0.1),
+84fe686173 (1.0.0) and 9febee0272 (0.9.8). This issue was originally reported by
+Robert Dugal and subsequently by David Ramos.
+
+DoS via reachable assert in SSLv2 servers (CVE-2015-0293)
+=========================================================
+
+Severity: Moderate
+
+A malicious client can trigger an OPENSSL_assert (i.e., an abort) in
+servers that both support SSLv2 and enable export cipher suites by sending
+a specially crafted SSLv2 CLIENT-MASTER-KEY message.
+
+This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0
+and 0.9.8.
+
+OpenSSL 1.0.2 users should upgrade to 1.0.2a
+OpenSSL 1.0.1 users should upgrade to 1.0.1m.
+OpenSSL 1.0.0 users should upgrade to 1.0.0r.
+OpenSSL 0.9.8 users should upgrade to 0.9.8zf.
+
+This issue was discovered by Sean Burford (Google) and Emilia Käsper
+(OpenSSL development team) in March 2015 and the fix was developed by
+Emilia Käsper.
+
+Empty CKE with client auth and DHE (CVE-2015-1787)
+==================================================
+
+Severity: Moderate
+
+If client auth is used then a server can seg fault in the event of a DHE
+ciphersuite being selected and a zero length ClientKeyExchange message being
+sent by the client. This could be exploited in a DoS attack.
+
+This issue affects OpenSSL version: 1.0.2
+
+OpenSSL 1.0.2 users should upgrade to 1.0.2a.
+
+This issue was discovered and the fix was developed by Matt Caswell of the
+OpenSSL development team.
+
+Handshake with unseeded PRNG (CVE-2015-0285)
+============================================
+
+Severity: Low
+
+Under certain conditions an OpenSSL 1.0.2 client can complete a handshake with
+an unseeded PRNG. The conditions are:
+- The client is on a platform where the PRNG has not been seeded automatically,
+and the user has not seeded manually
+- A protocol specific client method version has been used (i.e. not
+SSL_client_methodv23)
+- A ciphersuite is used that does not require additional random data from the
+PRNG beyond the initial ClientHello client random (e.g. PSK-RC4-SHA).
+
+If the handshake succeeds then the client random that has been used will have
+been generated from a PRNG with insufficient entropy and therefore the output
+may be predictable.
+
+For example using the following command with an unseeded openssl will succeed on
+an unpatched platform:
+
+openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA
+
+This issue affects OpenSSL version: 1.0.2
+
+OpenSSL 1.0.2 users should upgrade to 1.0.2a.
+
+This issue was discovered and the fix was developed by Matt Caswell of the
+OpenSSL development team.
+
+Use After Free following d2i_ECPrivatekey error (CVE-2015-0209)
+===============================================================
+
+Severity: Low
+
+A malformed EC private key file consumed via the d2i_ECPrivateKey function could
+cause a use after free condition. This, in turn, could cause a double
+free in several private key parsing functions (such as d2i_PrivateKey
+or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
+for applications that receive EC private keys from untrusted
+sources. This scenario is considered rare.
+
+This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and 0.9.8.
+
+OpenSSL 1.0.2 users should upgrade to 1.0.2a
+OpenSSL 1.0.1 users should upgrade to 1.0.1m.
+OpenSSL 1.0.0 users should upgrade to 1.0.0r.
+OpenSSL 0.9.8 users should upgrade to 0.9.8zf.
+
+This issue was discovered by the BoringSSL project and fixed in their commit
+517073cd4b. The OpenSSL fix was developed by Matt Caswell of the OpenSSL
+development team.
+
+X509_to_X509_REQ NULL pointer deref (CVE-2015-0288)
+===================================================
+
+Severity: Low
+
+The function X509_to_X509_REQ will crash with a NULL pointer dereference if
+the certificate key is invalid. This function is rarely used in practice.
+
+This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0
+and 0.9.8.
+
+OpenSSL 1.0.2 users should upgrade to 1.0.2a
+OpenSSL 1.0.1 users should upgrade to 1.0.1m.
+OpenSSL 1.0.0 users should upgrade to 1.0.0r.
+OpenSSL 0.9.8 users should upgrade to 0.9.8zf.
+
+This issue was discovered by Brian Carpenter and a fix developed by Stephen
+Henson of the OpenSSL development team.
+
+Note
+====
+
+As per our previous announcements and our Release Strategy
+(https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions
+1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these
+releases will be provided after that date. Users of these releases are advised
+to upgrade.
+
+References
+==========
+
+URL for this Security Advisory:
+https://www.openssl.org/news/secadv_20150319.txt
+
+Note: the online version of the advisory may be updated with additional
+details over time.
+
+For details of OpenSSL severity classifications please see:
+https://www.openssl.org/about/secpolicy.html
+
diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml
index f13418b..01d3ce5 100644
--- a/news/vulnerabilities.xml
+++ b/news/vulnerabilities.xml
@@ -5,9 +5,138 @@
1.0.0 on 20100329
-->
-<security updated="20150108">
- <issue public="20150108">
- <cve name="2014-3571"/>
+<security updated="20150319">
+ <issue public="20150319">
+ <impact severity="High"/>
+ <cve name="2015-0291"/>
+ <affects base="1.0.2" version="1.0.2"/>
+ <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
+
+ <description>
+ClientHello sigalgs DoS. If a client connects to an OpenSSL 1.0.2 server and renegotiates with an
+invalid signature algorithms extension a NULL pointer dereference will occur.
+This can be exploited in a DoS attack against the server.
+ </description>
+ <advisory url="http://www.openssl.org/news/secadv_20150319.txt"/>
+ <reported source=" David Ramos (Stanford University)"/>
+ </issue>
+
+ <issue public="20150319">
+ <cve name="2015-0290"/>
+ <impact severity="Moderate"/>
+ <affects base="1.0.2" version="1.0.2"/>
+ <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
+
+ <description>
+Multiblock corrupted pointer.
+OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This feature
+only applies on 64 bit x86 architecture platforms that support AES NI
+instructions. A defect in the implementation of "multiblock" can cause OpenSSL's
+internal write buffer to become incorrectly set to NULL when using non-blocking
+IO. Typically, when the user application is using a socket BIO for writing, this
+will only result in a failed connection. However if some other BIO is used then
+it is likely that a segmentation fault will be triggered, thus enabling a
+potential DoS attack.
+ </description>
+ <advisory url="http://www.openssl.org/news/secadv_20150319.txt"/>
+ <reported source="Daniel Danner and Rainer Mueller"/>
+ </issue>
+
+ <issue public="20150319">
+ <cve name="2015-0207"/>
+ <impact severity="Moderate"/>
+ <affects base="1.0.2" version="1.0.2"/>
+ <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
+
+ <description>
+Segmentation fault in DTLSv1_listen.
+A defect in the implementation of DTLSv1_listen means that state is preserved in
+the SSL object from one invocation to the next that can lead to a segmentation
+fault. Errors processing the initial ClientHello can trigger this scenario. An
+example of such an error could be that a DTLS1.0 only client is attempting to
+connect to a DTLS1.2 only server.
+ </description>
+ <advisory url="http://www.openssl.org/news/secadv_20150319.txt"/>
+ <reported source="Per Allansson"/>
+ </issue>
+
+ <issue public="20150319">
+ <cve name="2015-0286"/>
+ <impact severity="Moderate"/>
+ <affects base="0.9.8" version="0.9.8zd"/>
+ <affects base="0.9.8" version="0.9.8ze"/>
+ <affects base="1.0.0" version="1.0.0"/>
+ <affects base="1.0.0" version="1.0.0a"/>
+ <affects base="1.0.0" version="1.0.0b"/>
+ <affects base="1.0.0" version="1.0.0c"/>
+ <affects base="1.0.0" version="1.0.0d"/>
+ <affects base="1.0.0" version="1.0.0e"/>
+ <affects base="1.0.0" version="1.0.0f"/>
+ <affects base="1.0.0" version="1.0.0g"/>
+ <affects base="1.0.0" version="1.0.0i"/>
+ <affects base="1.0.0" version="1.0.0j"/>
+ <affects base="1.0.0" version="1.0.0k"/>
+ <affects base="1.0.0" version="1.0.0l"/>
+ <affects base="1.0.0" version="1.0.0m"/>
+ <affects base="1.0.0" version="1.0.0n"/>
+ <affects base="1.0.0" version="1.0.0o"/>
+ <affects base="1.0.0" version="1.0.0p"/>
+ <affects base="1.0.0" version="1.0.0q"/>
+ <affects base="1.0.1" version="1.0.1"/>
+ <affects base="1.0.1" version="1.0.1a"/>
+ <affects base="1.0.1" version="1.0.1b"/>
+ <affects base="1.0.1" version="1.0.1c"/>
+ <affects base="1.0.1" version="1.0.1d"/>
+ <affects base="1.0.1" version="1.0.1e"/>
+ <affects base="1.0.1" version="1.0.1f"/>
+ <affects base="1.0.1" version="1.0.1g"/>
+ <affects base="1.0.1" version="1.0.1h"/>
+ <affects base="1.0.1" version="1.0.1i"/>
+ <affects base="1.0.1" version="1.0.1j"/>
+ <affects base="1.0.1" version="1.0.1k"/>
+ <affects base="1.0.1" version="1.0.1l"/>
+ <affects base="1.0.2" version="1.0.2"/>
+ <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
+ <fixed base="1.0.1" version="1.0.1m" date="20150319"/>
+ <fixed base="1.0.0" version="1.0.0r" date="20150319"/>
+ <fixed base="0.9.8" version="0.9.8zf" date="20150319"/>
+
+ <description>
+Segmentation fault in ASN1_TYPE_cmp.
+The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is
+made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check
+certificate signature algorithm consistency this can be used to crash any
+certificate verification operation and exploited in a DoS attack. Any
+application which performs certificate verification is vulnerable including
+OpenSSL clients and servers which enable client authentication.
+ </description>
+ <advisory url="http://www.openssl.org/news/secadv_20150319.txt"/>
+ <reported source="Stephen Henson (OpenSSL development team)"/>
+ </issue>
+
+ <issue public="20150319">
+ <cve name="2015-0208"/>
+ <impact severity="Moderate"/>
+ <affects base="1.0.2" version="1.0.2"/>
+ <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
+
+ <description>
+Segmentation fault for invalid PSS parameters.
+The signature verification routines will crash with a NULL pointer
+dereference if presented with an ASN.1 signature using the RSA PSS
+algorithm and invalid parameters. Since these routines are used to verify
+certificate signature algorithms this can be used to crash any
+certificate verification operation and exploited in a DoS attack. Any
+application which performs certificate verification is vulnerable including
+OpenSSL clients and servers which enable client authentication.
+ </description>
+ <advisory url="http://www.openssl.org/news/secadv_20150319.txt"/>
+ <reported source="Brian Carpenter"/>
+ </issue>
+
+ <issue public="20150319">
+ <cve name="2015-0287"/>
+ <impact severity="Moderate"/>
<affects base="0.9.8" version="0.9.8"/>
<affects base="0.9.8" version="0.9.8a"/>
<affects base="0.9.8" version="0.9.8b"/>
@@ -37,6 +166,8 @@
<affects base="0.9.8" version="0.9.8za"/>
<affects base="0.9.8" version="0.9.8zb"/>
<affects base="0.9.8" version="0.9.8zc"/>
+ <affects base="0.9.8" version="0.9.8zd"/>
+ <affects base="0.9.8" version="0.9.8ze"/>
<affects base="1.0.0" version="1.0.0"/>
<affects base="1.0.0" version="1.0.0a"/>
<affects base="1.0.0" version="1.0.0b"/>
@@ -52,6 +183,8 @@
<affects base="1.0.0" version="1.0.0m"/>
<affects base="1.0.0" version="1.0.0n"/>
<affects base="1.0.0" version="1.0.0o"/>
+ <affects base="1.0.0" version="1.0.0p"/>
+ <affects base="1.0.0" version="1.0.0q"/>
<affects base="1.0.1" version="1.0.1"/>
<affects base="1.0.1" version="1.0.1a"/>
<affects base="1.0.1" version="1.0.1b"/>
@@ -63,17 +196,443 @@
<affects base="1.0.1" version="1.0.1h"/>
<affects base="1.0.1" version="1.0.1i"/>
<affects base="1.0.1" version="1.0.1j"/>
- <fixed base="1.0.1" version="1.0.1k" date="20150108"/>
- <fixed base="1.0.0" version="1.0.0p" date="20150108"/>
- <fixed base="0.9.8" version="0.9.8zd" date="20150108"/>
+ <affects base="1.0.1" version="1.0.1k"/>
+ <affects base="1.0.1" version="1.0.1l"/>
+ <affects base="1.0.2" version="1.0.2"/>
+ <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
+ <fixed base="1.0.1" version="1.0.1m" date="20150319"/>
+ <fixed base="1.0.0" version="1.0.0r" date="20150319"/>
+ <fixed base="0.9.8" version="0.9.8zf" date="20150319"/>
<description>
- A carefully crafted DTLS message can cause a segmentation fault in OpenSSL
- due to a NULL pointer dereference. This could lead to a Denial Of Service
- attack.
+ASN.1 structure reuse memory corruption.
+Reusing a structure in ASN.1 parsing may allow an attacker to cause
+memory corruption via an invalid write. Such reuse is and has been
+strongly discouraged and is believed to be rare.
</description>
- <advisory url="http://www.openssl.org/news/secadv_20150108.txt"/>
- <reported source="Markus Stenberg of Cisco Systems, Inc."/>
+ <advisory url="http://www.openssl.org/news/secadv_20150319.txt"/>
+ <reported source="Emilia Käsper (OpenSSL development team)"/>
+ </issue>
+
+ <issue public="20150319">
+ <cve name="2015-0289"/>
+ <impact severity="Moderate"/>
+ <affects base="0.9.8" version="0.9.8"/>
+ <affects base="0.9.8" version="0.9.8a"/>
+ <affects base="0.9.8" version="0.9.8b"/>
+ <affects base="0.9.8" version="0.9.8c"/>
+ <affects base="0.9.8" version="0.9.8d"/>
+ <affects base="0.9.8" version="0.9.8e"/>
+ <affects base="0.9.8" version="0.9.8f"/>
+ <affects base="0.9.8" version="0.9.8g"/>
+ <affects base="0.9.8" version="0.9.8h"/>
+ <affects base="0.9.8" version="0.9.8i"/>
+ <affects base="0.9.8" version="0.9.8j"/>
+ <affects base="0.9.8" version="0.9.8k"/>
+ <affects base="0.9.8" version="0.9.8l"/>
+ <affects base="0.9.8" version="0.9.8m"/>
+ <affects base="0.9.8" version="0.9.8n"/>
+ <affects base="0.9.8" version="0.9.8o"/>
+ <affects base="0.9.8" version="0.9.8p"/>
+ <affects base="0.9.8" version="0.9.8q"/>
+ <affects base="0.9.8" version="0.9.8r"/>
+ <affects base="0.9.8" version="0.9.8s"/>
+ <affects base="0.9.8" version="0.9.8t"/>
+ <affects base="0.9.8" version="0.9.8u"/>
+ <affects base="0.9.8" version="0.9.8v"/>
+ <affects base="0.9.8" version="0.9.8w"/>
+ <affects base="0.9.8" version="0.9.8x"/>
+ <affects base="0.9.8" version="0.9.8y"/>
+ <affects base="0.9.8" version="0.9.8za"/>
+ <affects base="0.9.8" version="0.9.8zb"/>
+ <affects base="0.9.8" version="0.9.8zc"/>
+ <affects base="0.9.8" version="0.9.8zd"/>
+ <affects base="0.9.8" version="0.9.8ze"/>
+ <affects base="1.0.0" version="1.0.0"/>
+ <affects base="1.0.0" version="1.0.0a"/>
+ <affects base="1.0.0" version="1.0.0b"/>
+ <affects base="1.0.0" version="1.0.0c"/>
+ <affects base="1.0.0" version="1.0.0d"/>
+ <affects base="1.0.0" version="1.0.0e"/>
+ <affects base="1.0.0" version="1.0.0f"/>
+ <affects base="1.0.0" version="1.0.0g"/>
+ <affects base="1.0.0" version="1.0.0i"/>
+ <affects base="1.0.0" version="1.0.0j"/>
+ <affects base="1.0.0" version="1.0.0k"/>
+ <affects base="1.0.0" version="1.0.0l"/>
+ <affects base="1.0.0" version="1.0.0m"/>
+ <affects base="1.0.0" version="1.0.0n"/>
+ <affects base="1.0.0" version="1.0.0o"/>
+ <affects base="1.0.0" version="1.0.0p"/>
+ <affects base="1.0.0" version="1.0.0q"/>
+ <affects base="1.0.1" version="1.0.1"/>
+ <affects base="1.0.1" version="1.0.1a"/>
+ <affects base="1.0.1" version="1.0.1b"/>
+ <affects base="1.0.1" version="1.0.1c"/>
+ <affects base="1.0.1" version="1.0.1d"/>
+ <affects base="1.0.1" version="1.0.1e"/>
+ <affects base="1.0.1" version="1.0.1f"/>
+ <affects base="1.0.1" version="1.0.1g"/>
+ <affects base="1.0.1" version="1.0.1h"/>
+ <affects base="1.0.1" version="1.0.1i"/>
+ <affects base="1.0.1" version="1.0.1j"/>
+ <affects base="1.0.1" version="1.0.1k"/>
+ <affects base="1.0.1" version="1.0.1l"/>
+ <affects base="1.0.2" version="1.0.2"/>
+ <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
+ <fixed base="1.0.1" version="1.0.1m" date="20150319"/>
+ <fixed base="1.0.0" version="1.0.0r" date="20150319"/>
+ <fixed base="0.9.8" version="0.9.8zf" date="20150319"/>
+
+ <description>
+PKCS#7 NULL pointer dereference.
+The PKCS#7 parsing code does not handle missing outer ContentInfo correctly.
+An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
+missing content and trigger a NULL pointer dereference on parsing.
+Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or
+otherwise parse PKCS#7 structures from untrusted sources are
+affected. OpenSSL clients and servers are not affected.
+ </description>
+ <advisory url="http://www.openssl.org/news/secadv_20150319.txt"/>
+ <reported source="Michal Zalewski (Google)"/>
+ </issue>
+
+ <issue public="20150319">
+ <cve name="2015-0292"/>
+ <impact severity="Moderate"/>
+ <affects base="0.9.8" version="0.9.8"/>
+ <affects base="0.9.8" version="0.9.8a"/>
+ <affects base="0.9.8" version="0.9.8b"/>
+ <affects base="0.9.8" version="0.9.8c"/>
+ <affects base="0.9.8" version="0.9.8d"/>
+ <affects base="0.9.8" version="0.9.8e"/>
+ <affects base="0.9.8" version="0.9.8f"/>
+ <affects base="0.9.8" version="0.9.8g"/>
+ <affects base="0.9.8" version="0.9.8h"/>
+ <affects base="0.9.8" version="0.9.8i"/>
+ <affects base="0.9.8" version="0.9.8j"/>
+ <affects base="0.9.8" version="0.9.8k"/>
+ <affects base="0.9.8" version="0.9.8l"/>
+ <affects base="0.9.8" version="0.9.8m"/>
+ <affects base="0.9.8" version="0.9.8n"/>
+ <affects base="0.9.8" version="0.9.8o"/>
+ <affects base="0.9.8" version="0.9.8p"/>
+ <affects base="0.9.8" version="0.9.8q"/>
+ <affects base="0.9.8" version="0.9.8r"/>
+ <affects base="0.9.8" version="0.9.8s"/>
+ <affects base="0.9.8" version="0.9.8t"/>
+ <affects base="0.9.8" version="0.9.8u"/>
+ <affects base="0.9.8" version="0.9.8v"/>
+ <affects base="0.9.8" version="0.9.8w"/>
+ <affects base="0.9.8" version="0.9.8x"/>
+ <affects base="0.9.8" version="0.9.8y"/>
+ <affects base="1.0.0" version="1.0.0"/>
+ <affects base="1.0.0" version="1.0.0a"/>
+ <affects base="1.0.0" version="1.0.0b"/>
+ <affects base="1.0.0" version="1.0.0c"/>
+ <affects base="1.0.0" version="1.0.0d"/>
+ <affects base="1.0.0" version="1.0.0e"/>
+ <affects base="1.0.0" version="1.0.0f"/>
+ <affects base="1.0.0" version="1.0.0g"/>
+ <affects base="1.0.0" version="1.0.0i"/>
+ <affects base="1.0.0" version="1.0.0j"/>
+ <affects base="1.0.0" version="1.0.0k"/>
+ <affects base="1.0.0" version="1.0.0l"/>
+ <affects base="1.0.1" version="1.0.1"/>
+ <affects base="1.0.1" version="1.0.1a"/>
+ <affects base="1.0.1" version="1.0.1b"/>
+ <affects base="1.0.1" version="1.0.1c"/>
+ <affects base="1.0.1" version="1.0.1d"/>
+ <affects base="1.0.1" version="1.0.1e"/>
+ <affects base="1.0.1" version="1.0.1f"/>
+ <affects base="1.0.1" version="1.0.1g"/>
+ <fixed base="1.0.1" version="1.0.1h" date="20140605"/>
+ <fixed base="1.0.0" version="1.0.0m" date="20140605"/>
+ <fixed base="0.9.8" version="0.9.8za" date="20140605"/>
+
+ <description>
+A vulnerability existed in previous versions of OpenSSL related to the
+processing of base64 encoded data. Any code path that reads base64 data from an
+untrusted source could be affected (such as the PEM processing routines).
+Maliciously crafted base 64 data could trigger a segmenation fault or memory
+corruption.
+ </description>
+ <advisory url="http://www.openssl.org/news/secadv_20150319.txt"/>
+ <reported source="Robert Dugal, also David Ramos"/>
+ </issue>
+
+ <issue public="20150319">
+ <cve name="2015-0293"/>
+ <impact severity="Moderate"/>
+ <affects base="0.9.8" version="0.9.8"/>
+ <affects base="0.9.8" version="0.9.8a"/>
+ <affects base="0.9.8" version="0.9.8b"/>
+ <affects base="0.9.8" version="0.9.8c"/>
+ <affects base="0.9.8" version="0.9.8d"/>
+ <affects base="0.9.8" version="0.9.8e"/>
+ <affects base="0.9.8" version="0.9.8f"/>
+ <affects base="0.9.8" version="0.9.8g"/>
+ <affects base="0.9.8" version="0.9.8h"/>
+ <affects base="0.9.8" version="0.9.8i"/>
+ <affects base="0.9.8" version="0.9.8j"/>
+ <affects base="0.9.8" version="0.9.8k"/>
+ <affects base="0.9.8" version="0.9.8l"/>
+ <affects base="0.9.8" version="0.9.8m"/>
+ <affects base="0.9.8" version="0.9.8n"/>
+ <affects base="0.9.8" version="0.9.8o"/>
+ <affects base="0.9.8" version="0.9.8p"/>
+ <affects base="0.9.8" version="0.9.8q"/>
+ <affects base="0.9.8" version="0.9.8r"/>
+ <affects base="0.9.8" version="0.9.8s"/>
+ <affects base="0.9.8" version="0.9.8t"/>
+ <affects base="0.9.8" version="0.9.8u"/>
+ <affects base="0.9.8" version="0.9.8v"/>
+ <affects base="0.9.8" version="0.9.8w"/>
+ <affects base="0.9.8" version="0.9.8x"/>
+ <affects base="0.9.8" version="0.9.8y"/>
+ <affects base="0.9.8" version="0.9.8za"/>
+ <affects base="0.9.8" version="0.9.8zb"/>
+ <affects base="0.9.8" version="0.9.8zc"/>
+ <affects base="0.9.8" version="0.9.8zd"/>
+ <affects base="0.9.8" version="0.9.8ze"/>
+ <affects base="1.0.0" version="1.0.0"/>
+ <affects base="1.0.0" version="1.0.0a"/>
+ <affects base="1.0.0" version="1.0.0b"/>
+ <affects base="1.0.0" version="1.0.0c"/>
+ <affects base="1.0.0" version="1.0.0d"/>
+ <affects base="1.0.0" version="1.0.0e"/>
+ <affects base="1.0.0" version="1.0.0f"/>
+ <affects base="1.0.0" version="1.0.0g"/>
+ <affects base="1.0.0" version="1.0.0i"/>
+ <affects base="1.0.0" version="1.0.0j"/>
+ <affects base="1.0.0" version="1.0.0k"/>
+ <affects base="1.0.0" version="1.0.0l"/>
+ <affects base="1.0.0" version="1.0.0m"/>
+ <affects base="1.0.0" version="1.0.0n"/>
+ <affects base="1.0.0" version="1.0.0o"/>
+ <affects base="1.0.0" version="1.0.0p"/>
+ <affects base="1.0.0" version="1.0.0q"/>
+ <affects base="1.0.1" version="1.0.1"/>
+ <affects base="1.0.1" version="1.0.1a"/>
+ <affects base="1.0.1" version="1.0.1b"/>
+ <affects base="1.0.1" version="1.0.1c"/>
+ <affects base="1.0.1" version="1.0.1d"/>
+ <affects base="1.0.1" version="1.0.1e"/>
+ <affects base="1.0.1" version="1.0.1f"/>
+ <affects base="1.0.1" version="1.0.1g"/>
+ <affects base="1.0.1" version="1.0.1h"/>
+ <affects base="1.0.1" version="1.0.1i"/>
+ <affects base="1.0.1" version="1.0.1j"/>
+ <affects base="1.0.1" version="1.0.1k"/>
+ <affects base="1.0.1" version="1.0.1l"/>
+ <affects base="1.0.2" version="1.0.2"/>
+ <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
+ <fixed base="1.0.1" version="1.0.1m" date="20150319"/>
+ <fixed base="1.0.0" version="1.0.0r" date="20150319"/>
+ <fixed base="0.9.8" version="0.9.8zf" date="20150319"/>
+
+ <description>
+DoS via reachable assert in SSLv2 servers.
+A malicious client can trigger an OPENSSL_assert in
+servers that both support SSLv2 and enable export cipher suites by sending
+a specially crafted SSLv2 CLIENT-MASTER-KEY message.
+ </description>
+ <advisory url="http://www.openssl.org/news/secadv_20150319.txt"/>
+ <reported source="Sean Burford (Google) and Emilia Käsper (OpenSSL development team)"/>
+ </issue>
+
+ <issue public="20150319">
+ <impact severity="Moderate"/>
+ <cve name="2015-1787"/>
+ <affects base="1.0.2" version="1.0.2"/>
+ <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
+
+ <description>
+Empty CKE with client auth and DHE.
+If client auth is used then a server can seg fault in the event of a DHE
+ciphersuite being selected and a zero length ClientKeyExchange message being
+sent by the client. This could be exploited in a DoS attack.
+ </description>
+ <advisory url="http://www.openssl.org/news/secadv_20150319.txt"/>
+ <reported source="Matt Caswell (OpenSSL development team)"/>
+ </issue>
+
+ <issue public="20150310">
+ <impact severity="Low"/>
+ <cve name="2015-0285"/>
+ <affects base="1.0.2" version="1.0.2"/>
+ <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
+
+ <description>
+Under certain conditions an OpenSSL 1.0.2 client can complete a handshake with
+an unseeded PRNG. If the handshake succeeds then the client random that has been used will have
+been generated from a PRNG with insufficient entropy and therefore the output
+may be predictable.
+ </description>
+ <advisory url="http://www.openssl.org/news/secadv_20150319.txt"/>
+ <reported source="Matt Caswell (OpenSSL development team)"/>
+ </issue>
+
+ <issue public="20150319">
+ <impact severity="Low"/>
+ <cve name="2015-0209"/>
+ <affects base="0.9.8" version="0.9.8"/>
+ <affects base="0.9.8" version="0.9.8a"/>
+ <affects base="0.9.8" version="0.9.8b"/>
+ <affects base="0.9.8" version="0.9.8c"/>
+ <affects base="0.9.8" version="0.9.8d"/>
+ <affects base="0.9.8" version="0.9.8e"/>
+ <affects base="0.9.8" version="0.9.8f"/>
+ <affects base="0.9.8" version="0.9.8g"/>
+ <affects base="0.9.8" version="0.9.8h"/>
+ <affects base="0.9.8" version="0.9.8i"/>
+ <affects base="0.9.8" version="0.9.8j"/>
+ <affects base="0.9.8" version="0.9.8k"/>
+ <affects base="0.9.8" version="0.9.8l"/>
+ <affects base="0.9.8" version="0.9.8m"/>
+ <affects base="0.9.8" version="0.9.8n"/>
+ <affects base="0.9.8" version="0.9.8o"/>
+ <affects base="0.9.8" version="0.9.8p"/>
+ <affects base="0.9.8" version="0.9.8q"/>
+ <affects base="0.9.8" version="0.9.8r"/>
+ <affects base="0.9.8" version="0.9.8s"/>
+ <affects base="0.9.8" version="0.9.8t"/>
+ <affects base="0.9.8" version="0.9.8u"/>
+ <affects base="0.9.8" version="0.9.8v"/>
+ <affects base="0.9.8" version="0.9.8w"/>
+ <affects base="0.9.8" version="0.9.8x"/>
+ <affects base="0.9.8" version="0.9.8y"/>
+ <affects base="0.9.8" version="0.9.8za"/>
+ <affects base="0.9.8" version="0.9.8zb"/>
+ <affects base="0.9.8" version="0.9.8zc"/>
+ <affects base="0.9.8" version="0.9.8zd"/>
+ <affects base="0.9.8" version="0.9.8ze"/>
+ <affects base="1.0.0" version="1.0.0"/>
+ <affects base="1.0.0" version="1.0.0a"/>
+ <affects base="1.0.0" version="1.0.0b"/>
+ <affects base="1.0.0" version="1.0.0c"/>
+ <affects base="1.0.0" version="1.0.0d"/>
+ <affects base="1.0.0" version="1.0.0e"/>
+ <affects base="1.0.0" version="1.0.0f"/>
+ <affects base="1.0.0" version="1.0.0g"/>
+ <affects base="1.0.0" version="1.0.0i"/>
+ <affects base="1.0.0" version="1.0.0j"/>
+ <affects base="1.0.0" version="1.0.0k"/>
+ <affects base="1.0.0" version="1.0.0l"/>
+ <affects base="1.0.0" version="1.0.0m"/>
+ <affects base="1.0.0" version="1.0.0n"/>
+ <affects base="1.0.0" version="1.0.0o"/>
+ <affects base="1.0.0" version="1.0.0p"/>
+ <affects base="1.0.0" version="1.0.0q"/>
+ <affects base="1.0.1" version="1.0.1"/>
+ <affects base="1.0.1" version="1.0.1a"/>
+ <affects base="1.0.1" version="1.0.1b"/>
+ <affects base="1.0.1" version="1.0.1c"/>
+ <affects base="1.0.1" version="1.0.1d"/>
+ <affects base="1.0.1" version="1.0.1e"/>
+ <affects base="1.0.1" version="1.0.1f"/>
+ <affects base="1.0.1" version="1.0.1g"/>
+ <affects base="1.0.1" version="1.0.1h"/>
+ <affects base="1.0.1" version="1.0.1i"/>
+ <affects base="1.0.1" version="1.0.1j"/>
+ <affects base="1.0.1" version="1.0.1k"/>
+ <affects base="1.0.1" version="1.0.1l"/>
+ <affects base="1.0.2" version="1.0.2"/>
+ <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
+ <fixed base="1.0.1" version="1.0.1m" date="20150319"/>
+ <fixed base="1.0.0" version="1.0.0r" date="20150319"/>
+ <fixed base="0.9.8" version="0.9.8zf" date="20150319"/>
+
+ <description>
+Use After Free following d2i_ECPrivatekey error.
+A malformed EC private key file consumed via the d2i_ECPrivateKey function could
+cause a use after free condition. This, in turn, could cause a double
+free in several private key parsing functions (such as d2i_PrivateKey
+or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
+for applications that receive EC private keys from untrusted
+sources. This scenario is considered rare.
+ </description>
+ <advisory url="http://www.openssl.org/news/secadv_20150319.txt"/>
+ <reported source="The BoringSSL project"/>
+ </issue>
+
+ <issue public="20150302">
+ <cve name="2015-0288"/>
+ <impact severity="Low"/>
+ <affects base="0.9.8" version="0.9.8"/>
+ <affects base="0.9.8" version="0.9.8a"/>
+ <affects base="0.9.8" version="0.9.8b"/>
+ <affects base="0.9.8" version="0.9.8c"/>
+ <affects base="0.9.8" version="0.9.8d"/>
+ <affects base="0.9.8" version="0.9.8e"/>
+ <affects base="0.9.8" version="0.9.8f"/>
+ <affects base="0.9.8" version="0.9.8g"/>
+ <affects base="0.9.8" version="0.9.8h"/>
+ <affects base="0.9.8" version="0.9.8i"/>
+ <affects base="0.9.8" version="0.9.8j"/>
+ <affects base="0.9.8" version="0.9.8k"/>
+ <affects base="0.9.8" version="0.9.8l"/>
+ <affects base="0.9.8" version="0.9.8m"/>
+ <affects base="0.9.8" version="0.9.8n"/>
+ <affects base="0.9.8" version="0.9.8o"/>
+ <affects base="0.9.8" version="0.9.8p"/>
+ <affects base="0.9.8" version="0.9.8q"/>
+ <affects base="0.9.8" version="0.9.8r"/>
+ <affects base="0.9.8" version="0.9.8s"/>
+ <affects base="0.9.8" version="0.9.8t"/>
+ <affects base="0.9.8" version="0.9.8u"/>
+ <affects base="0.9.8" version="0.9.8v"/>
+ <affects base="0.9.8" version="0.9.8w"/>
+ <affects base="0.9.8" version="0.9.8x"/>
+ <affects base="0.9.8" version="0.9.8y"/>
+ <affects base="0.9.8" version="0.9.8za"/>
+ <affects base="0.9.8" version="0.9.8zb"/>
+ <affects base="0.9.8" version="0.9.8zc"/>
+ <affects base="0.9.8" version="0.9.8zd"/>
+ <affects base="0.9.8" version="0.9.8ze"/>
+ <affects base="1.0.0" version="1.0.0"/>
+ <affects base="1.0.0" version="1.0.0a"/>
+ <affects base="1.0.0" version="1.0.0b"/>
+ <affects base="1.0.0" version="1.0.0c"/>
+ <affects base="1.0.0" version="1.0.0d"/>
+ <affects base="1.0.0" version="1.0.0e"/>
+ <affects base="1.0.0" version="1.0.0f"/>
+ <affects base="1.0.0" version="1.0.0g"/>
+ <affects base="1.0.0" version="1.0.0i"/>
+ <affects base="1.0.0" version="1.0.0j"/>
+ <affects base="1.0.0" version="1.0.0k"/>
+ <affects base="1.0.0" version="1.0.0l"/>
+ <affects base="1.0.0" version="1.0.0m"/>
+ <affects base="1.0.0" version="1.0.0n"/>
+ <affects base="1.0.0" version="1.0.0o"/>
+ <affects base="1.0.0" version="1.0.0p"/>
+ <affects base="1.0.0" version="1.0.0q"/>
+ <affects base="1.0.1" version="1.0.1"/>
+ <affects base="1.0.1" version="1.0.1a"/>
+ <affects base="1.0.1" version="1.0.1b"/>
+ <affects base="1.0.1" version="1.0.1c"/>
+ <affects base="1.0.1" version="1.0.1d"/>
+ <affects base="1.0.1" version="1.0.1e"/>
+ <affects base="1.0.1" version="1.0.1f"/>
+ <affects base="1.0.1" version="1.0.1g"/>
+ <affects base="1.0.1" version="1.0.1h"/>
+ <affects base="1.0.1" version="1.0.1i"/>
+ <affects base="1.0.1" version="1.0.1j"/>
+ <affects base="1.0.1" version="1.0.1k"/>
+ <affects base="1.0.1" version="1.0.1l"/>
+ <affects base="1.0.2" version="1.0.2"/>
+ <fixed base="1.0.2" version="1.0.2a" date="20150319"/>
+ <fixed base="1.0.1" version="1.0.1m" date="20150319"/>
+ <fixed base="1.0.0" version="1.0.0r" date="20150319"/>
+ <fixed base="0.9.8" version="0.9.8zf" date="20150319"/>
+
+ <description>
+X509_to_X509_REQ NULL pointer deref.
+The function X509_to_X509_REQ will crash with a NULL pointer dereference if
+the certificate key is invalid. This function is rarely used in practice.
+ </description>
+ <advisory url="http://www.openssl.org/news/secadv_20150319.txt"/>
+ <reported source="Brian Carpenter"/>
</issue>
<issue public="20150108">
@@ -120,8 +679,60 @@
<issue public="20141021">
<cve name="2014-3569"/>
+ <affects base="0.9.8" version="0.9.8"/>
+ <affects base="0.9.8" version="0.9.8a"/>
+ <affects base="0.9.8" version="0.9.8b"/>
+ <affects base="0.9.8" version="0.9.8c"/>
+ <affects base="0.9.8" version="0.9.8d"/>
+ <affects base="0.9.8" version="0.9.8e"/>
+ <affects base="0.9.8" version="0.9.8f"/>
+ <affects base="0.9.8" version="0.9.8g"/>
+ <affects base="0.9.8" version="0.9.8h"/>
+ <affects base="0.9.8" version="0.9.8i"/>
+ <affects base="0.9.8" version="0.9.8j"/>
+ <affects base="0.9.8" version="0.9.8k"/>
+ <affects base="0.9.8" version="0.9.8l"/>
+ <affects base="0.9.8" version="0.9.8m"/>
+ <affects base="0.9.8" version="0.9.8n"/>
+ <affects base="0.9.8" version="0.9.8o"/>
+ <affects base="0.9.8" version="0.9.8p"/>
+ <affects base="0.9.8" version="0.9.8q"/>
+ <affects base="0.9.8" version="0.9.8r"/>
+ <affects base="0.9.8" version="0.9.8s"/>
+ <affects base="0.9.8" version="0.9.8t"/>
+ <affects base="0.9.8" version="0.9.8u"/>
+ <affects base="0.9.8" version="0.9.8v"/>
+ <affects base="0.9.8" version="0.9.8w"/>
+ <affects base="0.9.8" version="0.9.8x"/>
+ <affects base="0.9.8" version="0.9.8y"/>
+ <affects base="0.9.8" version="0.9.8za"/>
+ <affects base="0.9.8" version="0.9.8zb"/>
<affects base="0.9.8" version="0.9.8zc"/>
+ <affects base="1.0.0" version="1.0.0"/>
+ <affects base="1.0.0" version="1.0.0a"/>
+ <affects base="1.0.0" version="1.0.0b"/>
+ <affects base="1.0.0" version="1.0.0c"/>
+ <affects base="1.0.0" version="1.0.0d"/>
+ <affects base="1.0.0" version="1.0.0e"/>
+ <affects base="1.0.0" version="1.0.0f"/>
+ <affects base="1.0.0" version="1.0.0g"/>
+ <affects base="1.0.0" version="1.0.0i"/>
+ <affects base="1.0.0" version="1.0.0j"/>
+ <affects base="1.0.0" version="1.0.0k"/>
+ <affects base="1.0.0" version="1.0.0l"/>
+ <affects base="1.0.0" version="1.0.0m"/>
+ <affects base="1.0.0" version="1.0.0n"/>
<affects base="1.0.0" version="1.0.0o"/>
+ <affects base="1.0.1" version="1.0.1"/>
+ <affects base="1.0.1" version="1.0.1a"/>
+ <affects base="1.0.1" version="1.0.1b"/>
+ <affects base="1.0.1" version="1.0.1c"/>
+ <affects base="1.0.1" version="1.0.1d"/>
+ <affects base="1.0.1" version="1.0.1e"/>
+ <affects base="1.0.1" version="1.0.1f"/>
+ <affects base="1.0.1" version="1.0.1g"/>
+ <affects base="1.0.1" version="1.0.1h"/>
+ <affects base="1.0.1" version="1.0.1i"/>
<affects base="1.0.1" version="1.0.1j"/>
<fixed base="1.0.1" version="1.0.1k" date="20150108"/>
<fixed base="1.0.0" version="1.0.0p" date="20150108"/>
More information about the openssl-commits
mailing list