| # OpenSSL Advisory: May 3rd 2016 |
| |
| OpenSSL have published a [security advisory](https://www.openssl.org/news/secadv/20160503.txt). Here's how it affects BoringSSL: |
| |
| CVE | Summary | [Severity] in OpenSSL | Impact to BoringSSL |
| ----|---------|-----------------------|--------------------- |
| CVE-2016-2108 | Memory corruption in the ASN.1 encoder | High | Fix imported in [c4eec0c1](https://boringssl.googlesource.com/boringssl/+/c4eec0c16b02c97a62a95b6a08656c3a9ddb6baa) in February 2016. |
| CVE-2016-2107 | Padding oracle in AES-NI CBC MAC check | High | Not affected; buggy code was removed. |
| CVE-2016-2109 | ASN.1 BIO excessive memory allocation | Low | Fix imported in [14b07a02](https://boringssl.googlesource.com/boringssl/+/14b07a02a6b16f24e6bd6cbb11f9904e9ee50442) in April 2016. |
| CVE-2016-2106 | EVP_EncryptUpdate overflow | Low | Fix imported in [204dea8d](https://boringssl.googlesource.com/boringssl/+/204dea8daeee9935b2b08da2c2dfe7b890ed36a7) in May 2016. |
| CVE-2016-2176 | EBCDIC overread | Low | Not affected; buggy code was removed. |
| CVE-2016-2105 | Avoid overflow in EVP_EncodeUpdate | Low | Not affected; a BoringSSL change made it irrelevant and it’s barely a security bug upstream. |
| |
| |
| [Severity]: https://openssl-library.org/policies/general/security-policy/index.html#issue-severity |
