| # OpenSSL Advisory: December 8th, 2020 |
| |
| OpenSSL have published a [security advisory](https://openssl-library.org/news/secadv/20201208.txt). Here's how it affects BoringSSL: |
| |
| CVE | Summary | [Severity] in OpenSSL | Impact to BoringSSL |
| ----|---------|-----------------------|--------------------- |
| CVE-2020-1971 | EDIPARTYNAME NULL pointer de-reference | High | Affected; fixed in commit aa4ecb49, see discussion below for impact |
| |
| [Severity]: https://openssl-library.org/policies/general/security-policy/index.html#issue-severity |
| |
| ## CVE-2020-1971 |
| |
| This issue does affect BoringSSL’s X.509 validation as we have not replaced the code in question since diverging from OpenSSL. BoringSSL does not support Time Stamp Protocol and so is unaffected in that context. This issue was discovered and reported by us to OpenSSL. The fix can be cherry-picked from BoringSSL’s commit [aa4ecb49269666c75919bc068028097c3b9cd42f](https://boringssl.googlesource.com/boringssl/+/aa4ecb49269666c75919bc068028097c3b9cd42f) if needed. |
| |
| Although OpenSSL marked this bug as high-severity we recommend reading the OpenSSL security update in order to decide whether it counts as such in your environment: it’s a NULL-pointer crash and only happens if doing X.509 validation with CRLs enabled, which is rare. |
