OpenSSL have published a security advisory. Here's how it affects BoringSSL:
| CVE | Summary | Severity in OpenSSL | Impact to BoringSSL |
|---|---|---|---|
| CVE-2016-2108 | Memory corruption in the ASN.1 encoder | High | Fix imported in c4eec0c1 in February 2016. |
| CVE-2016-2107 | Padding oracle in AES-NI CBC MAC check | High | Not affected; buggy code was removed. |
| CVE-2016-2109 | ASN.1 BIO excessive memory allocation | Low | Fix imported in 14b07a02 in April 2016. |
| CVE-2016-2106 | EVP_EncryptUpdate overflow | Low | Fix imported in 204dea8d in May 2016. |
| CVE-2016-2176 | EBCDIC overread | Low | Not affected; buggy code was removed. |
| CVE-2016-2105 | Avoid overflow in EVP_EncodeUpdate | Low | Not affected; a BoringSSL change made it irrelevant and it’s barely a security bug upstream. |