OpenSSL have published a security advisory. Here's how it affects BoringSSL:
| CVE | Summary | Severity in OpenSSL | Impact to BoringSSL |
|---|---|---|---|
| CVE-2016-6304 | OCSP Status Request extension unbounded memory growth | High | Not affected; buggy code was removed. |
| CVE-2016-6305 | SSL_peek() hang on empty record | Moderate | Not affected; regression introduced after fork. (Added test anyway.) |
| CVE-2016-2183 | SWEET32 Mitigation | Low | Not practical to do anything right now or of much interest (bulk ciphers do not affect downgrade and HIGH/MEDIUM aren't useful APIs for server operators). |
| CVE-2016-6303 | OOB write in MDC2_Update | Low | Not affected; buggy code was removed. |
| CVE-2016-6302 | Malformed SHA512 ticket DoS | Low | Not affected; independently fixed in April 2015. |
| CVE-2016-2182 | OOB write in BN_bn2dec | Low | Fix imported August 2016 (and then rewritten). |
| CVE-2016-2180 | OOB read in TS_OBJ_print_bio | Low | Not affected; buggy code was removed. |
| CVE-2016-2177 | Pointer arithmetic undefined behavior | Low | Not affected; buggy code was rewritten. |
| CVE-2016-2178 | Constant time flag not preserved in DSA signing | Low | Fix imported June 2016. |
| CVE-2016-2179 | DTLS buffered message DoS | Low | Not affected; buggy code was removed. |
| CVE-2016-2181 | DTLS replay protection DoS | Low | Not affected; buggy code was removed. |
| CVE-2016-6306 | Certificate message OOB reads | Low | Not affected; buggy code was rewritten. |
| CVE-2016-6307 | Excessive allocation of memory on TLS messages | Low | Not affected; regression introduced after fork. |
| CVE-2016-6308 | Excessive allocation of memory on DTLS messages | Low | Not affected; regression introduced after fork. |