On Sun, Jun 12, 2016 at 10:49:23PM +0200, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> > CVE-2016-2177
> > http://seclists.org/oss-sec/2016/q2/500
> >
> > CVE-2016-2178
> > http://seclists.org/oss-sec/2016/q2/493
> >
> > Should we try cherry-picking the upstream commits from the OpenSSL
> > development repo?
> 
> Sounds like it.  Could you look into it?

I've attached my patch.

According to OpenSSL's security policy [0], they seem to consider these
bugs to be "LOW severity", since they did not keep them private or issue
a new release, or even an advisory [1].

There is also some discussion of the severity in this thread:
http://seclists.org/oss-sec/2016/q2/493

So, perhaps it's not worth the risk of cherry-picking these commits out
of context, at least not without asking the upstream maintainers.

Thoughts?

[0]
https://www.openssl.org/policies/secpolicy.html

[1]
https://www.openssl.org/news/vulnerabilities.html#y2016