OpenSSL have published a security advisory. Here's how it affects BoringSSL:
| CVE | Summary | Severity in OpenSSL | Impact to BoringSSL |
|---|---|---|---|
| CVE-2021-23841 | Null pointer deref in X509_issuer_and_serial_hash() | Moderate | Fixed; the affected function is unused, so we removed it. |
| CVE-2021-23839 | Incorrect SSLv2 rollback protection | Low | Not affected; we removed SSLv2 padding in the initial fork. |
| CVE-2021-23840 | Integer overflow in CipherUpdate | Low | Fixed; patch imported. Note this only affects callers that decrypt around 2³¹ bytes with EVP_CIPHER. We recommend switching to EVP_AEAD, which uses size_t and passes output bounds explicitly. |