OpenSSL 1.0.2 users should upgrade to 1.0.2a

Issue #11147 invalid
Former user created an issue

The function X509_to_X509_REQ will crash with a NULL pointer dereference if the certificate key is invalid. This function is rarely used in practice.

This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and 0.9.8.

OpenSSL 1.0.2 users should upgrade to 1.0.2a OpenSSL 1.0.1 users should upgrade to 1.0.1m. OpenSSL 1.0.0 users should upgrade to 1.0.0r. OpenSSL 0.9.8 users should upgrade to 0.9.8zf.

This issue was discovered by Brian Carpenter and a fix developed by Stephen Henson of the OpenSSL development team.


As per our previous announcements and our Release Strategy (, support for OpenSSL versions 1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these releases will be provided after that date. Users of these releases are advised to upgrade.


URL for this Security Advisory:

Note: the online version of the advisory may be updated with additional details over time.

For details of OpenSSL severity classifications-*

Comments (2)

  1. Anonymous

    This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0

    Bitbucket is not affected by the vulnerabilities announced by the OpenSSL project today. Two high severity security vulnerabilities CVE-2015-0291 and CVE-2015-0204 have been announced:

    The CVE-2015-0291 vulnerability results in a potential denial of service attack against a server that requests a client’s certificate, which is not something that would happen in most circumstances as it is usually the client that requests the server’s certificate.

    The CVE-2015-0204 vulnerability is a reclassification of the existing and well known FREAK vulnerability (CVE-2015-0204 & CVE-2015-1637), which allows an attacker to intercept HTTPS connections between vulnerable clients and servers and force them to use weakened encryption, which the attacker can break to steal or manipulate sensitive data.-,,

  2. Log in to comment