| # OpenSSL Advisory: February 16th, 2021 |
| |
| OpenSSL have published a [security advisory](https://openssl-library.org/news/secadv/20210216.txt). Here's how it affects BoringSSL: |
| |
| CVE | Summary | [Severity] in OpenSSL | Impact to BoringSSL |
| ----|---------|-----------------------|--------------------- |
| CVE-2021-23841 | Null pointer deref in X509_issuer_and_serial_hash() | Moderate | Fixed; the affected function is unused, so we [removed](https://boringssl.googlesource.com/boringssl/+/ca2162d71902385dc740a385d20977d551d14e8f) it. |
| CVE-2021-23839 | Incorrect SSLv2 rollback protection | Low | Not affected; we removed SSLv2 padding in the initial fork. |
| CVE-2021-23840 | Integer overflow in CipherUpdate | Low | Fixed; patch [imported](https://boringssl.googlesource.com/boringssl/+/e7c0c9734f5491e62665ea156603209a80fbb235). Note this only affects callers that decrypt around 2³¹ bytes with `EVP_CIPHER`. We recommend switching to `EVP_AEAD`, which uses `size_t` and passes output bounds explicitly. |
| |
| [Severity]: https://openssl-library.org/policies/general/security-policy/index.html#issue-severity |
