OpenSSL have published a security advisory. Here's how it affects BoringSSL:
| CVE | Summary | Severity in OpenSSL | Impact to BoringSSL |
|---|---|---|---|
| CVE-2020-1971 | EDIPARTYNAME NULL pointer de-reference | High | Affected; fixed in commit aa4ecb49, see discussion below for impact |
This issue does affect BoringSSL’s X.509 validation as we have not replaced the code in question since diverging from OpenSSL. BoringSSL does not support Time Stamp Protocol and so is unaffected in that context. This issue was discovered and reported by us to OpenSSL. The fix can be cherry-picked from BoringSSL’s commit aa4ecb49269666c75919bc068028097c3b9cd42f if needed.
Although OpenSSL marked this bug as high-severity we recommend reading the OpenSSL security update in order to decide whether it counts as such in your environment: it’s a NULL-pointer crash and only happens if doing X.509 validation with CRLs enabled, which is rare.