Google Git
Sign in
boringssl/boringssl/aa202db1d7091b88b80f0a58c630c5c1aefc817d^!/.
commit
aa202db1d7091b88b80f0a58c630c5c1aefc817d
[log] [tgz]
author
David Benjamin <davidben@google.com>
Tue Jan 27 17:58:08 2026 -0500
committer
Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>
Tue Jan 27 15:28:42 2026 -0800
tree
09fa8036558c3e2700aa3ab90a77a74258a9f6a4
parent
addfceb221b504dbd0835509839eb547b14830fa [diff]
Publish historical advisories from 2024 and 2025

Bug: 479225940
Change-Id: Iab26eb9336feee83451addb288817ddf94058b4d
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/88048
Reviewed-by: Adam Langley <agl@google.com>
Auto-Submit: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>

diff --git a/docs/advisories/2024-01-15.md b/docs/advisories/2024-01-15.md
new file mode 100644
index 0000000..e1b4288
--- /dev/null
+++ b/docs/advisories/2024-01-15.md

@@ -0,0 +1,10 @@
+# OpenSSL Advisory: January 15th, 2024 (BoringSSL Not Affected)
+
+OpenSSL have published a pair of security advisories ([1](https://www.openssl.org/news/secadv/20240109.txt), [2](https://www.openssl.org/news/secadv/20240115.txt)). Here's how they affect BoringSSL:
+
+CVE | Summary | [Severity] in OpenSSL | Impact to BoringSSL
+----|---------|-----------------------|---------------------
+CVE-2023-6129 | POLY1305 MAC implementation corrupts vector registers on PowerPC | Low | Not affected; issue was introduced after fork. BoringSSL also does not support PowerPC.
+CVE-2023-6237 | Excessive time spent checking invalid RSA public keys | Low | Not affected; issue was introduced after fork. BoringSSL also applies RSA size limits at an earlier point to reduce DoS risks.
+
+[Severity]: https://openssl-library.org/policies/general/security-policy/index.html#issue-severity

diff --git a/docs/advisories/2024-01-25.md b/docs/advisories/2024-01-25.md
new file mode 100644
index 0000000..c29a3dc
--- /dev/null
+++ b/docs/advisories/2024-01-25.md

@@ -0,0 +1,9 @@
+# OpenSSL Advisory: January 25th, 2024 (BoringSSL Not Affected)
+
+OpenSSL have published a [security advisory](https://www.openssl.org/news/secadv/20240125.txt). Here's how it affects BoringSSL:
+
+CVE | Summary | [Severity] in OpenSSL | Impact to BoringSSL
+----|---------|-----------------------|---------------------
+CVE-2024-0727 | PKCS12 Decoding crashes | Low | Not affected; BoringSSL has an independent PKCS#12 parser that was not affected
+
+[Severity]: https://openssl-library.org/policies/general/security-policy/index.html#issue-severity

diff --git a/docs/advisories/2024-04-08.md b/docs/advisories/2024-04-08.md
new file mode 100644
index 0000000..fe1a170
--- /dev/null
+++ b/docs/advisories/2024-04-08.md

@@ -0,0 +1,9 @@
+# OpenSSL Advisory: April 8th, 2024 (BoringSSL Not Affected)
+
+OpenSSL have published a [security advisory](https://www.openssl.org/news/secadv/20240408.txt). Here's how it affects BoringSSL:
+
+CVE | Summary | [Severity] in OpenSSL | Impact to BoringSSL
+----|---------|-----------------------|---------------------
+CVE-2024-0727 | Unbounded memory growth with session handling in TLSv1.3 | Low | Not affected; the session cache code in BoringSSL was rewritten.
+
+[Severity]: https://openssl-library.org/policies/general/security-policy/index.html#issue-severity

diff --git a/docs/advisories/2024-05-21.md b/docs/advisories/2024-05-21.md
new file mode 100644
index 0000000..d1f2f32
--- /dev/null
+++ b/docs/advisories/2024-05-21.md

@@ -0,0 +1,9 @@
+# OpenSSL Advisory: May 21st, 2024 (BoringSSL Not Affected)
+
+OpenSSL have published a [security advisory](https://openssl.org/news/secadv/20240516.txt). Here's how it affects BoringSSL:
+
+CVE | Summary | [Severity] in OpenSSL | Impact to BoringSSL
+----|---------|-----------------------|---------------------
+CVE-2024-4603 | Excessive time spent checking DSA keys and parameters | Low | Not affected; issue was introduced after fork
+
+[Severity]: https://openssl-library.org/policies/general/security-policy/index.html#issue-severity

diff --git a/docs/advisories/2024-05-28.md b/docs/advisories/2024-05-28.md
new file mode 100644
index 0000000..68c438f
--- /dev/null
+++ b/docs/advisories/2024-05-28.md

@@ -0,0 +1,9 @@
+# OpenSSL Advisory: May 28th, 2024 (BoringSSL Not Affected)
+
+OpenSSL have published a [security advisory](https://www.openssl.org/news/secadv/20240528.txt). Here's how it affects BoringSSL:
+
+CVE | Summary | [Severity] in OpenSSL | Impact to BoringSSL
+----|---------|-----------------------|---------------------
+CVE-2024-4741 | Use After Free with SSL_free_buffers | Low | Not affected; issue was introduced after fork
+
+[Severity]: https://openssl-library.org/policies/general/security-policy/index.html#issue-severity

diff --git a/docs/advisories/2024-06-27.md b/docs/advisories/2024-06-27.md
new file mode 100644
index 0000000..01c449f
--- /dev/null
+++ b/docs/advisories/2024-06-27.md

@@ -0,0 +1,37 @@
+# OpenSSL Advisory: June 27th, 2024
+
+OpenSSL have published a [security advisory](https://openssl-library.org/news/secadv/20240627.txt). Here's how it affects BoringSSL:
+
+CVE | Summary | [Severity] in OpenSSL | Impact to BoringSSL
+----|---------|-----------------------|---------------------
+CVE-2024-5535 | SSL_select_next_proto buffer overread | Low | See discussion below. Fixed in [c1d9ac02](https://boringssl.googlesource.com/boringssl/+/c1d9ac02514a138129872a036e3f8a1074dcb8bd).
+
+[Severity]: https://openssl-library.org/policies/general/security-policy/index.html#issue-severity
+
+## CVE-2024-5535
+
+This issue concerns fragile and, in OpenSSL, underdocumented, preconditions in the NPN and ALPN helper function, `SSL_select_next_proto`. If called with invalid inputs, notably an empty final argument, the function may crash or return an out-of-bounds buffer to the caller. This was fixed in BoringSSL on June 5, 2024 in commit [c1d9ac02514a138129872a036e3f8a1074dcb8bd](https://boringssl.googlesource.com/boringssl/+/c1d9ac02514a138129872a036e3f8a1074dcb8bd).
+
+Typical uses of `SSL_select_next_proto` are not affected. Applications are affected if they pass in an invalid `peer` or `supported` parameter. That is, either:
+
+* `peer` and `supported` was not a valid encoded NPN/ALPN protocol list.
+* `supported` was empty
+
+We are not aware of any instance of the first condition, but older versions of some applications met the second condition. In this case, the application may crash or, if it outputs the “opportunistic” protocol (see below) when the function returns `OPENSSL_NPN_NO_OVERLAP`, may leak private data. Outputting this protocol is common for NPN but rare for its successor, ALPN.
+
+### Background and details
+
+`SSL_select_next_proto` is a helper function for implementing protocol selection. It was originally added for NPN, and then reused for its successor, ALPN. It is expected to be used in the application’s protocol selection callbacks, set by `SSL_CTX_set_next_proto_select_cb` and SSL_CTX_set_alpn_select_cb, respectively.  The function takes two protocol preference lists, peer and supported, each encoded as a byte string, and selects a protocol out of the intersection. If there is no intersection, it returns a special `OPENSSL_NPN_NO_OVERLAP` value and then returns the first protocol in supported as an NPN [“opportunistic”](https://datatracker.ietf.org/doc/html/draft-agl-tls-nextprotoneg-03#section-6) protocol. It is not expected to be returned in ALPN, where a protocol mismatch should terminate the connection. But, as these are arbitrary callbacks, callers may implement arbitrary selection policies.
+
+(In OpenSSL, the parameters are named `server` and `client`, after the original NPN semantics. We use different names in BoringSSL to reflect NPN and ALPN’s reversed roles. In NPN, the client picks a protocol based on the server list. In ALPN, the server picks a protocol based on the client list. This ensures the “opportunistic” protocol is picked out of the calling application’s supported list.)
+
+This function has two preconditions which the caller must satisfy:
+
+1. `peer` and `supported` must both be valid encoding of NPN/ALPN protocol lists.
+2. `supported` must not be empty; the function otherwise cannot return an opportunistic protocol. (Callers that support no protocols are not enabling NPN/ALPN at all, and thus do not need this function.)
+
+In the original implementation, these preconditions were unchecked, with memory errors when violated. In particular, if `supported` is empty (the second precondition), the opportunistic protocol may point to an out-of-bounds buffer. Outputting that opportunistic protocol, common in NPN, may then leak sensitive information.
+
+BoringSSL documented both preconditions, but OpenSSL did not document that `supported` must not be empty. We are aware of some older versions of calling applications which could both violate this second precondition and also output the opportunistic protocol. Those applications may then leak private data in some cases.
+
+The fix removes this fragility. While callers are still expected to heed the preconditions for `SSL_select_next_proto` to function properly, a violation will only cause it to cleanly return `OPENSSL_NPN_NO_OVERLAP` and an empty opportunistic protocol.

diff --git a/docs/advisories/2024-09-03.md b/docs/advisories/2024-09-03.md
new file mode 100644
index 0000000..4021296
--- /dev/null
+++ b/docs/advisories/2024-09-03.md

@@ -0,0 +1,9 @@
+# OpenSSL Advisory: September 3rd, 2024 (BoringSSL Not Affected)
+
+OpenSSL have published a [security advisory](https://openssl-library.org/news/secadv/20240903.txt). Here's how it affects BoringSSL:
+
+CVE | Summary | [Severity] in OpenSSL | Impact to BoringSSL
+----|---------|-----------------------|---------------------
+CVE-2024-6119 | Possible denial of service in X.509 name checks | Medium | Not affected; issue was introduced after fork
+
+[Severity]: https://openssl-library.org/policies/general/security-policy/index.html#issue-severity

diff --git a/docs/advisories/2024-10-16.md b/docs/advisories/2024-10-16.md
new file mode 100644
index 0000000..647d2e2
--- /dev/null
+++ b/docs/advisories/2024-10-16.md

@@ -0,0 +1,9 @@
+# OpenSSL Advisory: October 16th, 2024 (BoringSSL Not Affected)
+
+OpenSSL have published a [security advisory](https://openssl-library.org/news/secadv/20241016.txt). Here's how it affects BoringSSL:
+
+CVE | Summary | [Severity] in OpenSSL | Impact to BoringSSL
+----|---------|-----------------------|---------------------
+CVE-2024-9143 | Low-level invalid GF(2^m) parameters lead to OOB memory access | Low | Not affected; code was removed when BoringSSL forked
+
+[Severity]: https://openssl-library.org/policies/general/security-policy/index.html#issue-severity

diff --git a/docs/advisories/2025-01-21.md b/docs/advisories/2025-01-21.md
new file mode 100644
index 0000000..5090e53
--- /dev/null
+++ b/docs/advisories/2025-01-21.md

@@ -0,0 +1,15 @@
+# OpenSSL Advisory: January 21st, 2025 (BoringSSL Not Affected)
+
+OpenSSL have published a [security advisory](https://openssl-library.org/news/secadv/20250120.txt). Here's how it affects BoringSSL:
+
+CVE | Summary | [Severity] in OpenSSL | Impact to BoringSSL
+----|---------|-----------------------|---------------------
+CVE-2024-13176 | Timing side-channel in ECDSA signature computation | Low | Not affected; already fixed in [November 2017](https://boringssl-review.googlesource.com/c/boringssl/+/23075)
+
+[Severity]: https://openssl-library.org/policies/general/security-policy/index.html#issue-severity
+
+## CVE-2024-13176
+
+CVE-2024-13176 is a [timing leak](https://www.bearssl.org/constanttime.html) of the ECDSA nonce during signing. The ECDSA nonce is very sensitive and even a small leak [can lead to leaking the private key](https://eprint.iacr.org/2020/615.pdf). The leak comes from OpenSSL's use of a big integer that canonicalizes away leading zeros in its in-memory representation. This leaks the number of leading zeros of a number of intermediate calculations.
+
+In [November 2017](https://boringssl-review.googlesource.com/c/boringssl/+/23075), we changed our ECDSA implementation to no longer use the general `BIGNUM` library here, which both reduced allocation overhead and avoided this leak. In 2018, we reworked our copy of the `BIGNUM` library to avoid this canonicalization and fix analogous leaks elsewhere, e.g. in RSA. In 2018, we also [filed an issue](https://github.com/openssl/openssl/issues/6640) for OpenSSL, describing our work.

diff --git a/docs/advisories/2025-02-11.md b/docs/advisories/2025-02-11.md
new file mode 100644
index 0000000..af94295
--- /dev/null
+++ b/docs/advisories/2025-02-11.md

@@ -0,0 +1,9 @@
+# OpenSSL Advisory: February 11th, 2025 (BoringSSL Not Affected)
+
+OpenSSL have published a [security advisory](https://openssl-library.org/news/secadv/20250211.txt). Here's how it affects BoringSSL:
+
+CVE | Summary | [Severity] in OpenSSL | Impact to BoringSSL
+----|---------|-----------------------|---------------------
+CVE-2024-12797 | RFC7250 handshakes with unauthenticated servers don't abort as expected | High | Not affected; issue was introduced after fork
+
+[Severity]: https://openssl-library.org/policies/general/security-policy/index.html#issue-severity

diff --git a/docs/advisories/2025-05-22.md b/docs/advisories/2025-05-22.md
new file mode 100644
index 0000000..1ae704c
--- /dev/null
+++ b/docs/advisories/2025-05-22.md

@@ -0,0 +1,9 @@
+# OpenSSL Advisory: May 22nd, 2025 (BoringSSL Not Affected)
+
+OpenSSL have published a [security advisory](https://openssl-library.org/news/secadv/20250522.txt). Here's how it affects BoringSSL:
+
+CVE | Summary | [Severity] in OpenSSL | Impact to BoringSSL
+----|---------|-----------------------|---------------------
+CVE-2025-4575 | The x509 application adds trusted use instead of rejected use | Low | Not affected; issue was introduced after fork
+
+[Severity]: https://openssl-library.org/policies/general/security-policy/index.html#issue-severity

diff --git a/docs/advisories/2025-09-30.md b/docs/advisories/2025-09-30.md
new file mode 100644
index 0000000..660f839
--- /dev/null
+++ b/docs/advisories/2025-09-30.md

@@ -0,0 +1,11 @@
+# OpenSSL Advisory: September 30th, 2025 (BoringSSL Not Affected)
+
+OpenSSL have published a [security advisory](https://openssl-library.org/news/secadv/20250930.txt). Here's how it affects BoringSSL:
+
+CVE | Summary | [Severity] in OpenSSL | Impact to BoringSSL
+----|---------|-----------------------|---------------------
+CVE-2025-9230 | Out-of-bounds read & write in RFC 3211 KEK Unwrap | Moderate | Not affected, impacted code was removed from BoringSSL in the initial fork
+CVE-2025-9231 | Timing side-channel in SM2 algorithm on 64 bit ARM | Moderate | Not affected, issue was introduced after fork
+CVE-2025-9232 | Out-of-bounds read in HTTP client no_proxy handling | Low | Not affected, issue was introduced after fork
+
+[Severity]: https://openssl-library.org/policies/general/security-policy/index.html#issue-severity