OpenSSL have published a security advisory. Here's how it affects BoringSSL:
| CVE | Summary | Severity in OpenSSL | Impact to BoringSSL |
|---|---|---|---|
| CVE-2017-3736 | bn_sqrx8x_internal carry bug on x86_64 | Moderate | Not affected, affected code is not enabled in BoringSSL. See discussion below. |
| CVE-2017-3735 | Malformed X.509 IPAddressFamily could cause OOB read | Low | Not affected, affected code was removed in fork |
The code was enabled briefly at BoringSSL head on 2017-08-14, but it was reverted 24 hours later when we learned of the bug.