Joseph Birr-Pixton

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions prior to the next release (exact version not specified) CPython version 3.9 and earlier **Description** The issue is related to the OpenSSL API function `SSL select next proto` which can cause a crash or memory contents to be sent to the peer when called with an empty supported client protocols buffer. This can result in a loss of confidentiality, with up to 255 bytes of arbitrary private data from memory being sent to the peer. The issue is typically not under attacker control and may occur by accident due to a configuration or programming error in the calling application. The `SSL select next proto` function is used by TLS applications that support ALPN (Application Layer Protocol Negotiation) or NPN (Next Protocol Negotiation), with NPN being older and deprecated in favor of ALPN. **Recommendations** For OpenSSL versions prior to the next release, there is no information about a newer version that contains a fix for this vulnerability. For CPython version 3.9 and earlier, ensure that `SSLContext.set npn protocols()` is not configured with an empty list to prevent the buffer over-read issue. As a temporary workaround, consider disabling the use of NPN in favor of ALPN to minimize the risk of exploitation. Restrict access to the `SSL select next proto` function to prevent accidental calls with empty client protocol buffers. Avoid using the `client len` parameter with a value of 0 when calling the `SSL select next proto` function. Note: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions prior to 0.9.8s OpenSSL versions 1.0.0 prior to 1.0.0e OpenSSL versions 1.0.1 prior to 1.0.1n OpenSSL versions 1.0.2 prior to 1.0.2b **Description** The issue is related to the BN GF2m mod inv function in OpenSSL, which does not properly handle ECParameters structures in which the curve is over a malformed binary polynomial field. This allows remote attackers to cause a denial of service (infinite loop) via a session that uses an Elliptic Curve algorithm. The vulnerability is associated with resource management errors and can be exploited by a remote attacker to cause a denial of service due to errors that occur during the establishment of a session that uses an Elliptic Curve-based algorithm. **Recommendations** For OpenSSL versions prior to 0.9.8s, update to version 0.9.8s or later. For OpenSSL versions 1.0.0 prior to 1.0.0e, update to version 1.0.0e or later. For OpenSSL versions 1.0.1 prior to 1.0.1n, update to version 1.0.1n or later. For OpenSSL versions 1.0.2 prior to 1.0.2b, update to version 1.0.2b or later. As a temporary workaround, consider disabling the use of Elliptic Curve algorithms until a patch is available.