CVE-2016-7054 (OpenSSL advisory) [High severity] 10th November 2016:
TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to a DoS attack by
corrupting larger payloads. This can result in an OpenSSL crash. This issue is not considered to be
exploitable beyond a DoS. Reported by Robert Święcki (Google Security Team) on 25th September 2016.
Fixed in OpenSSL 1.1.0c (Affected 1.1.0b, 1.1.0a, 1.1.0)
In OpenSSL 1.1.0, there is a bug that causes memory corruption allows a DoS attack. I have reviewed the CloudFlare's patch for OpenSSL 1.0.1, but I didn't see any similar code. But I still want an statement whether CF's patch has the same issue.
In OpenSSL 1.1.0, there is a bug that causes memory corruption allows a DoS attack. I have reviewed the CloudFlare's patch for OpenSSL 1.0.1, but I didn't see any similar code. But I still want an statement whether CF's patch has the same issue.