Search for packages
| purl | pkg:deb/debian/openssl@0?distro=trixie |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-1ggt-ugh5-jqeu | NULL Pointer Dereference An invalid pointer dereference on read can be triggered when an application tries to load malformed PKCS7 data with the d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions. The result of the dereference is an application crash which could lead to a denial of service attack. The TLS implementation in OpenSSL does not call this function however third party applications might call these functions on untrusted data. |
CVE-2023-0216
GHSA-29xx-hcv2-c4cp |
| VCID-1r3e-8nb4-nyaa | Multiple vulnerabilities have been found in OpenSSL that can result in either Denial of Service or information disclosure. |
CVE-2015-0290
|
| VCID-2by2-tzdd-kkc7 | Out-of-bounds Write Issue summary: The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications running on PowerPC CPU based platforms if the CPU provides vector instructions. Impact summary: If an attacker can influence whether the POLY1305 MAC algorithm is used, the application state might be corrupted with various application dependent consequences. The POLY1305 MAC (message authentication code) implementation in OpenSSL for PowerPC CPUs restores the contents of vector registers in a different order than they are saved. Thus the contents of some of these vector registers are corrupted when returning to the caller. The vulnerable code is used only on newer PowerPC processors supporting the PowerISA 2.07 instructions. The consequences of this kind of internal application state corruption can be various - from no consequences, if the calling application does not depend on the contents of non-volatile XMM registers at all, to the worst consequences, where the attacker could get complete control of the application process. However unless the compiler uses the vector registers for storing pointers, the most likely consequence, if any, would be an incorrect result of some application dependent calculations or a crash leading to a denial of service. The POLY1305 MAC algorithm is most frequently used as part of the CHACHA20-POLY1305 AEAD (authenticated encryption with associated data) algorithm. The most common usage of this AEAD cipher is with TLS protocol versions 1.2 and 1.3. If this cipher is enabled on the server a malicious client can influence whether this AEAD cipher is used. This implies that TLS server applications using OpenSSL can be potentially impacted. However we are currently not aware of any concrete application that would be affected by this issue therefore we consider this a Low severity security issue. |
CVE-2023-6129
|
| VCID-38zm-z6ta-9bcm | Multiple vulnerabilities have been found in OpenSSL, the worst of which allows attackers to conduct a time based side-channel attack. |
CVE-2016-2176
|
| VCID-3dej-wqvv-muhe | Multiple vulnerabilities have been found in OpenSSL, the worst of which could result in denial of service. |
CVE-2022-3358
GHSA-4f63-89w9-3jjv |
| VCID-3u2b-yumu-rkcd | openssl: OpenSSL: Denial of Service via NULL pointer dereference in QUIC protocol handling |
CVE-2025-15468
|
| VCID-45qa-rf1u-kbd8 | openssl: incorrect error checking during CMS verification |
CVE-2009-0591
|
| VCID-491w-a5n6-7ufp | openssl: Insecure path defaults vulnerability in mingw builds |
CVE-2019-1552
|
| VCID-5791-w983-4bhn | openssl: Out-of-bounds read in HTTP client no_proxy handling |
CVE-2025-9232
|
| VCID-638m-dfwf-7bdv | openssl: Possible denial of service in X.509 name checks |
CVE-2024-6119
|
| VCID-6pd1-d9gx-kfc1 | Loop with Unreachable Exit Condition ('Infinite Loop') Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. The exact behaviour will depend on the application but it could result in crashes, infinite loops or other similar incorrect responses. |
CVE-2021-4044
GHSA-mmjf-f5jw-w72q |
| VCID-6zka-x9q6-4fcy | openssl: excessive allocation of memory in dtls1_preprocess_fragment() |
CVE-2016-6308
|
| VCID-71yj-bmak-pkdu | Multiple vulnerabilities have been discovered in OpenSSL, the worst of which could result in remote code execution. |
CVE-2022-3602
GHSA-8rwr-x37p-mx23 |
| VCID-74wu-sup9-cybb |
CVE-2026-28386
|
|
| VCID-7f9q-mhsr-8bfq | openssl: OpenSSL TLS 1.3 server may choose unexpected key agreement group |
CVE-2026-2673
|
| VCID-8s28-acfa-kkhj | NULL Pointer Dereference An invalid pointer dereference on read can be triggered when an application tries to check a malformed DSA public key by the EVP_PKEY_public_check() function. This will most likely lead to an application crash. This function can be called on public keys supplied from untrusted sources which could allow an attacker to cause a denial of service attack. The TLS implementation in OpenSSL does not call this function but applications might call the function if there are additional security requirements imposed by standards such as FIPS 140-3. |
CVE-2023-0217
GHSA-vxrh-cpg7-8vjr |
| VCID-93qs-cwuv-13dc | OpenSSL in Apple Mac OS X 10.6.x before 10.6.5 does not properly perform arithmetic, which allows remote attackers to bypass X.509 certificate authentication via an arbitrary certificate issued by a legitimate Certification Authority. |
CVE-2010-1378
|
| VCID-99xj-17z4-1qhe | openssl-src heap memory corruption with RSA private key operation The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation. SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue. |
CVE-2022-2274
GHSA-735f-pg76-fxc4 |
| VCID-9b9g-yngp-7kd7 | openssl: OpenSSL: Data integrity bypass in `openssl dgst` command due to silent truncation |
CVE-2025-15469
|
| VCID-9nmg-h851-gfcq | openssl: Timing side-channel in SM2 algorithm on 64 bit ARM |
CVE-2025-9231
|
| VCID-9umk-zzdr-1bbb | A certain Apple patch for OpenSSL in Apple OS X 10.9.2 and earlier uses a Trust Evaluation Agent (TEA) feature without terminating certain TLS/SSL handshakes as specified in the SSL_CTX_set_verify callback function's documentation, which allows remote attackers to bypass extra verification within a custom application via a crafted certificate chain that is acceptable to TEA but not acceptable to that application. |
CVE-2014-2234
|
| VCID-b3u8-1a2y-judf | Improper Authentication Issue summary: The AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries which are unauthenticated as a consequence. Impact summary: Applications that use the AES-SIV algorithm and want to authenticate empty data entries as associated data can be mislead by removing adding or reordering such empty entries as these are ignored by the OpenSSL implementation. We are currently unaware of any such applications. The AES-SIV algorithm allows for authentication of multiple associated data entries along with the encryption. To authenticate empty data the application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with NULL pointer as the output buffer and 0 as the input buffer length. The AES-SIV implementation in OpenSSL just returns success for such a call instead of performing the associated data authentication operation. The empty data thus will not be authenticated. As this issue does not affect non-empty associated data authentication and we expect it to be rare for an application to use empty associated data entries this is qualified as Low severity issue. |
CVE-2023-2975
|
| VCID-c2uj-69s7-jkbn | openssl: incomplete fix of CVE-2012-2110 for 0.9.x |
CVE-2012-2131
|
| VCID-cef8-2p5t-bff7 |
CVE-2026-31790
|
|
| VCID-cjvp-qu4p-gyb3 | Multiple vulnerabilities were found in OpenSSL, allowing for the execution of arbitrary code and other attacks. |
CVE-2010-4252
|
| VCID-d4rs-rag3-cfcy | openssl: OpenSSL: Remote code execution or Denial of Service via oversized Initialization Vector in CMS parsing |
CVE-2025-15467
|
| VCID-g8at-dasq-h3fb | openssl: OpenSSL: Denial of Service due to excessive memory allocation in TLS 1.3 certificate compression |
CVE-2025-66199
|
| VCID-gqj1-zam7-c3bv | Vulnerable OpenSSL included in cryptography wheels pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 42.0.0-44.0.0 are vulnerable to a security issue. More details about the vulnerability itself can be found in https://openssl-library.org/news/secadv/20250211.txt. If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions. |
CVE-2024-12797
GHSA-79v4-65xg-pq4g |
| VCID-gxy4-4rja-ufd2 | certificate verification bypass |
CVE-2025-4575
|
| VCID-h6n1-tsqt-17bw | Generation of Weak Initialization Vector (IV) Issue summary: A bug has been identified in the processing of key and initialisation vector (IV) lengths. This can lead to potential truncation or overruns during the initialisation of some symmetric ciphers. Impact summary: A truncation in the IV can result in non-uniqueness, which could result in loss of confidentiality for some cipher modes. When calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after the key and IV have been established. Any alterations to the key length, via the "keylen" parameter or the IV length, via the "ivlen" parameter, within the OSSL_PARAM array will not take effect as intended, potentially causing truncation or overreading of these values. The following ciphers and cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB. For the CCM, GCM and OCB cipher modes, truncation of the IV can result in loss of confidentiality. For example, when following NIST's SP 800-38D section 8.2.1 guidance for constructing a deterministic IV for AES in GCM mode, truncation of the counter portion could lead to IV reuse. Both truncations and overruns of the key and overruns of the IV will produce incorrect results and could, in some cases, trigger a memory exception. However, these issues are not currently assessed as security critical. Changing the key and/or IV lengths is not considered to be a common operation and the vulnerable API was recently introduced. Furthermore it is likely that application developers will have spotted this problem during testing since decryption would fail unless both peers in the communication were similarly vulnerable. For these reasons we expect the probability of an application being vulnerable to this to be quite low. However if an application is vulnerable then this issue is considered very serious. For these reasons we have assessed this issue as Moderate severity overall. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because the issue lies outside of the FIPS provider boundary. OpenSSL 3.1 and 3.0 is vulnerable to this issue. |
CVE-2023-5363
|
| VCID-j51b-cm37-6fdj | openssl: OpenSSL: Arbitrary code execution or denial of service through crafted PKCS#12 file |
CVE-2025-11187
|
| VCID-jv1d-sb5f-xfga | Multiple vulnerabilities have been found in OpenSSL that can result in either Denial of Service or information disclosure. |
CVE-2015-0208
|
| VCID-jw9j-13y5-fkdw | Multiple vulnerabilities have been found in OpenSSL, the worst of which allows attackers to conduct a time based side-channel attack. |
CVE-2016-6305
|
| VCID-ncw4-3azc-1fb5 | Denial of service by double-checked locking in openssl-src If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common setup. Policy processing is enabled by passing the `-policy' argument to the command line utilities or by calling either `X509_VERIFY_PARAM_add0_policy()' or `X509_VERIFY_PARAM_set1_policies()' functions. |
CVE-2022-3996
GHSA-vr8j-hgmm-jh9r |
| VCID-pe34-qqqg-3qe1 | Multiple vulnerabilities were found in OpenSSL, allowing for the execution of arbitrary code and other attacks. |
CVE-2010-0433
|
| VCID-q7te-hzsm-fkck | openssl: Use After Free for large message sizes |
CVE-2016-6309
|
| VCID-r2qs-dmuf-zkev | openssl: Excessive time spent checking DSA keys and parameters |
CVE-2024-4603
|
| VCID-r69y-4x9c-euhv | Multiple vulnerabilities have been found in OpenSSL that can result in either Denial of Service or information disclosure. |
CVE-2015-0207
|
| VCID-r791-tdk3-4bet | OpenSSL before 0.9.8k on WIN64 and certain other platforms does not properly handle a malformed ASN.1 structure, which allows remote attackers to cause a denial of service (invalid memory access and application crash) by placing this structure in the public key of a certificate, as demonstrated by an RSA public key. |
CVE-2009-0789
|
| VCID-rmcw-df8y-wqgn | Multiple vulnerabilities have been found in OpenSSL that can result in either Denial of Service or information disclosure. |
CVE-2015-0291
|
| VCID-rxkb-79tg-zuaz | Multiple vulnerabilities were found in OpenSSL, allowing for the execution of arbitrary code and other attacks. |
CVE-2010-1633
|
| VCID-t4t8-753w-zqc5 | POLY1305 MAC implementation corrupts XMM registers on Windows Issue summary: The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications on the Windows 64 platform when running on newer X86_64 processors supporting the AVX512-IFMA instructions. Impact summary: If in an application that uses the OpenSSL library an attacker can influence whether the POLY1305 MAC algorithm is used, the application state might be corrupted with various application dependent consequences. The POLY1305 MAC (message authentication code) implementation in OpenSSL does not save the contents of non-volatile XMM registers on Windows 64 platform when calculating the MAC of data larger than 64 bytes. Before returning to the caller all the XMM registers are set to zero rather than restoring their previous content. The vulnerable code is used only on newer x86_64 processors supporting the AVX512-IFMA instructions. The consequences of this kind of internal application state corruption can be various - from no consequences, if the calling application does not depend on the contents of non-volatile XMM registers at all, to the worst consequences, where the attacker could get complete control of the application process. However given the contents of the registers are just zeroized so the attacker cannot put arbitrary values inside, the most likely consequence, if any, would be an incorrect result of some application dependent calculations or a crash leading to a denial of service. The POLY1305 MAC algorithm is most frequently used as part of the CHACHA20-POLY1305 AEAD (authenticated encryption with associated data) algorithm. The most common usage of this AEAD cipher is with TLS protocol versions 1.2 and 1.3 and a malicious client can influence whether this AEAD cipher is used by the server. This implies that server applications using OpenSSL can be potentially impacted. However we are currently not aware of any concrete application that would be affected by this issue therefore we consider this a Low severity security issue. As a workaround the AVX512-IFMA instructions support can be disabled at runtime by setting the environment variable OPENSSL_ia32cap: OPENSSL_ia32cap=:~0x200000 The FIPS provider is not affected by this issue. |
CVE-2023-4807
|
| VCID-t9w1-a3z2-qqar | Out-of-bounds Read Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM platform contains a bug that could cause it to read past the input buffer, leading to a crash. Impact summary: Applications that use the AES-XTS algorithm on the 64 bit ARM platform can crash in rare circumstances. The AES-XTS algorithm is usually used for disk encryption. The AES-XTS cipher decryption implementation for 64 bit ARM platform will read past the end of the ciphertext buffer if the ciphertext size is 4 mod 5 in 16 byte blocks, e.g. 144 bytes or 1024 bytes. If the memory after the ciphertext buffer is unmapped, this will trigger a crash which results in a denial of service. If an attacker can control the size and location of the ciphertext buffer being decrypted by an application using AES-XTS on 64 bit ARM, the application is affected. This is fairly unlikely making this issue a Low severity one. |
CVE-2023-1255
|
| VCID-tk2r-atbr-73ge | Out-of-bounds Read A read buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. The read buffer overrun might result in a crash which could lead to a denial of service attack. In theory it could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext) although we are not aware of any working exploit leading to memory contents disclosure as of the time of release of this advisory. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. |
CVE-2022-4203
GHSA-w67w-mw4j-8qrv |
| VCID-ttju-tw1d-f3ay | Improper Certificate Validation The function `OCSP_basic_verify` verifies the signer certificate on an OCSP response. In the case where the (non-default) flag OCSP_NOCHECKS is used then the response will be positive (meaning a successful verification) even in the case where the response signing certificate fails to verify. It is anticipated that most users of `OCSP_basic_verify` will not use the OCSP_NOCHECKS flag. In this case the `OCSP_basic_verify` function will return a negative value (indicating a fatal error) in the case of a certificate verification failure. The normal expected return value in this case would be 0. This issue also impacts the command line OpenSSL "ocsp" application. When verifying an ocsp response with the "-no_cert_checks" option the command line application will report that the verification is successful even though it has in fact failed. In this case the incorrect successful response will also be accompanied by error messages showing the failure and contradicting the apparently successful result. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). |
CVE-2022-1343
GHSA-mfm6-r9g2-q4r7 |
| VCID-tw8y-th2e-x7ex | openssl: Excessive time spent checking invalid RSA public keys |
CVE-2023-6237
|
| VCID-v45q-mw2w-67g5 | Multiple vulnerabilities have been found in OpenSSL that can result in either Denial of Service or information disclosure. |
CVE-2015-0285
|
| VCID-wp1w-7td9-87gs | openssl: excessive allocation of memory in tls_get_message_header() |
CVE-2016-6307
|
| VCID-wxvb-73gj-p3eu | Use of a Broken or Risky Cryptographic Algorithm The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly uses the AAD data as the MAC key. This makes the MAC key trivially predictable. An attacker could exploit this issue by performing a man-in-the-middle attack to modify data being sent from one endpoint to an OpenSSL 3.0 recipient such that the modified data would still pass the MAC integrity check. Note that data sent from an OpenSSL 3.0 endpoint to a non-OpenSSL 3.0 endpoint will always be rejected by the recipient and the connection will fail at that point. Many application protocols require data to be sent from the client to the server first. Therefore, in such a case, only an OpenSSL 3.0 server would be impacted when talking to a non-OpenSSL 3.0 client. If both endpoints are OpenSSL 3.0 then the attacker could modify data being sent in both directions. In this case both clients and servers could be affected, regardless of the application protocol. Note that in the absence of an attacker this bug means that an OpenSSL 3.0 endpoint communicating with a non-OpenSSL 3.0 endpoint will fail to complete the handshake when using this ciphersuite. The confidentiality of data is not impacted by this issue, i.e. an attacker cannot decrypt data that has been encrypted using this ciphersuite - they can only modify it. In order for this attack to work both endpoints must legitimately negotiate the RC4-MD5 ciphersuite. This ciphersuite is not compiled by default in OpenSSL 3.0, and is not available within the default provider or the default ciphersuite list. This ciphersuite will never be used if TLSv1.3 has been negotiated. In order for an OpenSSL 3.0 endpoint to use this ciphersuite the following must have occurred: 1) OpenSSL must have been compiled with the (non-default) compile time option enable-weak-ssl-ciphers 2) OpenSSL must have had the legacy provider explicitly loaded (either through application code or via configuration) 3) The ciphersuite must have been explicitly added to the ciphersuite list 4) The libssl security level must have been set to 0 (default is 1) 5) A version of SSL/TLS below TLSv1.3 must have been negotiated 6) Both endpoints must negotiate the RC4-MD5 ciphersuite in preference to any others that both endpoints have in common Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). |
CVE-2022-1434
GHSA-638m-m8mh-7gw2 |
| VCID-xq7s-zrwb-yffw | Multiple vulnerabilities have been discovered in OpenSSL, the worst of which could result in remote code execution. |
CVE-2022-3786
GHSA-h8jm-2x53-xhp5 |
| VCID-xqt3-3um9-8faq | NULL Pointer Dereference A NULL pointer can be dereferenced when signatures are being verified on PKCS7 signed or signedAndEnveloped data. In case the hash algorithm used for the signature is known to the OpenSSL library but the implementation of the hash algorithm is not available the digest initialization will fail. There is a missing check for the return value from the initialization function which later leads to invalid usage of the digest API most likely leading to a crash. The unavailability of an algorithm can be caused by using FIPS enabled configuration of providers or more commonly by not loading the legacy provider. PKCS7 data is processed by the SMIME library calls and also by the time stamp (TS) library calls. The TLS implementation in OpenSSL does not call these functions however third party applications would be affected if they call these functions to verify signatures on untrusted data. |
CVE-2023-0401
GHSA-vrh7-x64v-7vxq |
| VCID-y71f-vhew-p3d2 | openssl: Crash in ssleay_rand_bytes due to locking regression |
CVE-2015-3216
|
| VCID-yb9y-4y13-efg6 |
CVE-2015-5738
|
|
| VCID-zf5b-ajub-zue3 | Multiple vulnerabilities have been found in OpenSSL that can result in either Denial of Service or information disclosure. |
CVE-2015-1787
|
| VCID-zhwv-pq2x-8bey | Improper Resource Shutdown or Release The `OPENSSL_LH_flush()` function, which empties a hash table, contains a bug that breaks reuse of the memory occuppied by the removed hash table entries. This function is used when decoding certificates or keys. If a long lived process periodically decodes certificates or keys its memory usage will expand without bounds and the process might be terminated by the operating system causing a denial of service. Also traversing the empty hash table entries will take increasingly more time. Typically such long lived processes might be TLS clients or TLS servers configured to accept client certificate authentication. |
CVE-2022-1473
GHSA-g323-fr93-4j3c |