ChaCha20/Poly1305 heap-buffer-overflow (CVE-2016-7054)
======================================================
Severity: High
TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to a DoS
attack by corrupting larger payloads. This can result in an OpenSSL crash. This
issue is not considered to be exploitable beyond a DoS.
OpenSSL 1.1.0 users should upgrade to 1.1.0c
This issue does not affect OpenSSL versions prior to 1.1.0
This issue was reported to OpenSSL on 25th September 2016 by Robert
Święcki (Google Security Team), and was found using honggfuzz. The fix
was developed by Richard Levitte of the OpenSSL development team.
Would be nice to know if your patch is also affected.
vkrasnov
commented
7 years ago
See https://www.openssl.org/news/secadv/20161110.txt:
Would be nice to know if your patch is also affected.