Johannes Bauer

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions 0.9.8 through 0.9.8zg OpenSSL versions 1.0.0 through 1.0.0s OpenSSL versions 1.0.1 through 1.0.1n OpenSSL versions 1.0.2 through 1.0.2b **Description** The issue is related to errors in resource management in the do free upto function, which can cause a denial of service (infinite loop) when presented with an unknown hash function OID. This can be triggered by an unrecognized X.660 OID for a hash function, allowing a remote attacker to cause a denial of service. The estimated number of potentially affected devices is not specified. **Recommendations** For OpenSSL versions 0.9.8 through 0.9.8zg, update to version 0.9.8zg or later. For OpenSSL versions 1.0.0 through 1.0.0s, update to version 1.0.0s or later. For OpenSSL versions 1.0.1 through 1.0.1n, update to version 1.0.1n or later. For OpenSSL versions 1.0.2 through 1.0.2b, update to version 1.0.2b or later. As a temporary workaround, consider restricting the use of the do free upto function until a patch is available. Avoid using unrecognized X.660 OIDs for hash functions in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel version 2.6.21-rc4 **Description** The issue is related to an integer overflow in the `hrtimer forward` function, located in `hrtimer.c`, which can cause a denial of service. This occurs when the system is running on 64-bit systems and a timer with a large expiry value is set, resulting in the timer always being expired, leading to an infinite loop. **Recommendations** For Linux kernel version 2.6.21-rc4, consider applying a patch to fix the integer overflow in the `hrtimer forward` function to prevent a denial of service. At the moment, there is no information about a newer version that contains a fix for this vulnerability.