Loïc Jonas Etienne

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions 1.0.1 through 1.0.1q OpenSSL versions 1.0.2 through 1.0.2e MySQL Server versions 5.6.28 and earlier MySQL Server versions 5.7.10 and earlier **Description** The issue allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an RSA PSS ASN.1 signature that lacks a mask generation function parameter. This is related to errors in pointer handling in the crypto/rsa/rsa ameth.c function of the OpenSSL library. The vulnerability can also lead to a denial of service (race condition and double free) via a crafted ServerKeyExchange message when OpenSSL is used for a multi-threaded client. **Recommendations** For OpenSSL versions 1.0.1 through 1.0.1q, update to version 1.0.1q or later. For OpenSSL versions 1.0.2 through 1.0.2e, update to version 1.0.2e or later. For MySQL Server versions 5.6.28 and earlier, update to a version later than 5.6.28. For MySQL Server versions 5.7.10 and earlier, update to a version later than 5.7.10. As a temporary workaround, consider restricting access to the `crypto/rsa/rsa ameth.c` function until a patch is available. Avoid using the `PSK identity hint` in the affected API endpoint until the issue is resolved.