OpenBSD LibreSSL Crypto Library
By the Year
In 2023 there have been 0 vulnerabilities in OpenBSD LibreSSL . LibreSSL did not have any published security vulnerabilities last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2023 | 0 | 0.00 |
2022 | 0 | 0.00 |
2021 | 1 | 5.50 |
2020 | 0 | 0.00 |
2019 | 0 | 0.00 |
2018 | 2 | 6.05 |
It may take a day or so for new LibreSSL vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent OpenBSD LibreSSL Security Vulnerabilities
x509_constraints_parse_mailbox in lib/libcrypto/x509/x509_constraints.c in LibreSSL through 3.4.0 has a stack-based buffer over-read
CVE-2021-41581
5.5 - Medium
- September 24, 2021
x509_constraints_parse_mailbox in lib/libcrypto/x509/x509_constraints.c in LibreSSL through 3.4.0 has a stack-based buffer over-read. When the input exceeds DOMAIN_PART_MAX_LEN, the buffer lacks '\0' termination.
Out-of-bounds Read
LibreSSL before 2.6.5 and 2.7.x before 2.7.4
CVE-2018-12434
4.7 - Medium
- June 15, 2018
LibreSSL before 2.6.5 and 2.7.x before 2.7.4 allows a memory-cache side-channel attack on DSA and ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover a key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.
Information Disclosure
The int_x509_param_set_hosts function in lib/libcrypto/x509/x509_vpm.c in LibreSSL 2.7.0 before 2.7.1 does not support a certain special case of a zero name length, which causes silent omission of hostname verification, and consequently
CVE-2018-8970
7.4 - High
- March 24, 2018
The int_x509_param_set_hosts function in lib/libcrypto/x509/x509_vpm.c in LibreSSL 2.7.0 before 2.7.1 does not support a certain special case of a zero name length, which causes silent omission of hostname verification, and consequently allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. NOTE: the LibreSSL documentation indicates that this special case is supported, but the BoringSSL documentation does not.
Improper Certificate Validation
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for OpenBSD LibreSSL or by OpenBSD? Click the Watch button to subscribe.
