If you think you have found a security bug in OpenSSL, please report it to us.

Show issues fixed only in OpenSSL 1.1.1, 1.1.0, 1.0.2, 1.0.1, 1.0.0, 0.9.8, 0.9.7, 0.9.6

Note: All OpenSSL versions before 1.1.1 are out of support and no longer receiving updates. Extended support is available for 1.0.2 from OpenSSL Software Services for premium support customers.

Jump to year: 2020, 2019, 2018, 2017, 2016, 2015, 2014, 2013, 2012, 2011, 2010, 2009, 2008, 2007, 2006, 2005, 2004, 2003, 2002

CVE-2020-1968 (OpenSSL advisory) [Low severity] 09 September 2020: The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would result in the attacker being able to eavesdrop on all encrypted communications sent over that TLS connection. The attack can only be exploited if an implementation re-uses a DH secret across multiple TLS connections. Note that this issue only impacts DH ciphersuites and not ECDH ciphersuites. This issue affects OpenSSL 1.0.2 which is out of support and no longer receiving public updates. OpenSSL 1.1.1 is not vulnerable to this issue. Reported by Robert Merget, Marcus Brinkmann, Nimrod Aviram, and Juraj Somorovsky. Fixed in OpenSSL 1.0.2w (Affected 1.0.2-1.0.2v) CVE-2020-1967 (OpenSSL advisory) [High severity] 21 April 2020: Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Reported by Bernd Edlinger. Fixed in OpenSSL 1.1.1g (git commit) (Affected 1.1.1d-1.1.1f)

CVE-2013-6449 14 December 2013: A flaw in OpenSSL can cause an application using OpenSSL to crash when using TLS version 1.2. This issue only affected OpenSSL 1.0.1 versions. Reported by Ron Barber. Fixed in OpenSSL 1.0.1f (git commit) (Affected 1.0.1-1.0.1e) CVE-2013-6450 13 December 2013: A flaw in DTLS handling can cause an application using OpenSSL and DTLS to crash. This is not a vulnerability for OpenSSL prior to 1.0.0. Reported by Dmitry Sobinov. Fixed in OpenSSL 1.0.1f (git commit) (Affected 1.0.1-1.0.1e)

Fixed in OpenSSL 1.0.0l (Affected 1.0.0-1.0.0k) CVE-2013-0166 (OpenSSL advisory) 05 February 2013: A flaw in the OpenSSL handling of OCSP response verification can be exploited in a denial of service attack. Reported by Stephen Henson. Fixed in OpenSSL 1.0.1d (Affected 1.0.1-1.0.1c)

Fixed in OpenSSL 1.0.0k (Affected 1.0.0-1.0.0j)

Fixed in OpenSSL 0.9.8y (Affected 0.9.8-0.9.8x) CVE-2012-2686 (OpenSSL advisory) 05 February 2013: A flaw in the OpenSSL handling of CBC ciphersuites in TLS 1.1 and TLS 1.2 on AES-NI supporting platforms can be exploited in a DoS attack. Reported by Adam Langley and Wolfgang Ettlinger. Fixed in OpenSSL 1.0.1d (Affected 1.0.1-1.0.1c) CVE-2013-0169 (OpenSSL advisory) 04 February 2013: A weakness in the handling of CBC ciphersuites in SSL, TLS and DTLS which could lead to plaintext recovery by exploiting timing differences arising during MAC processing. Reported by Nadhem J. AlFardan and Kenneth G. Paterson of the Information Security Group Royal Holloway, University of London. Fixed in OpenSSL 1.0.1d (Affected 1.0.1-1.0.1c)

Fixed in OpenSSL 1.0.0k (Affected 1.0.0-1.0.0j)

Fixed in OpenSSL 0.9.8y (Affected 0.9.8-0.9.8x)

CVE-2012-2333 (OpenSSL advisory) 10 May 2012: An integer underflow flaw, leading to a buffer over-read, was found in the way OpenSSL handled TLS 1.1, TLS 1.2, and DTLS (Datagram Transport Layer Security) application data record lengths when using a block cipher in CBC (cipher-block chaining) mode. A malicious TLS 1.1, TLS 1.2, or DTLS client or server could use this flaw to crash its connection peer. Reported by Codenomicon. Fixed in OpenSSL 1.0.1c (Affected 1.0.1-1.0.1b)

Fixed in OpenSSL 1.0.0j (Affected 1.0.0-1.0.0i)

Fixed in OpenSSL 0.9.8x (Affected 0.9.8-0.9.8w) CVE-2012-2131 (OpenSSL advisory) 24 April 2012: It was discovered that the fix for CVE-2012-2110 released on 19 Apr 2012 was not sufficient to correct the issue for OpenSSL 0.9.8. This issue only affects OpenSSL 0.9.8v. OpenSSL 1.0.1a and 1.0.0i already contain a patch sufficient to correct CVE-2012-2110. Reported by Red Hat. Fixed in OpenSSL 0.9.8w (Affected 0.9.8v) CVE-2012-2110 (OpenSSL advisory) 19 April 2012: Multiple numeric conversion errors, leading to a buffer overflow, were found in the way OpenSSL parsed ASN.1 (Abstract Syntax Notation One) data from BIO (OpenSSL's I/O abstraction) inputs. Specially-crafted DER (Distinguished Encoding Rules) encoded data read from a file or other BIO input could cause an application using the OpenSSL library to crash or, potentially, execute arbitrary code. Reported by Tavis Ormandy. Fixed in OpenSSL 1.0.1a (Affected 1.0.1)

Fixed in OpenSSL 1.0.0i (Affected 1.0.0-1.0.0g)

Fixed in OpenSSL 0.9.8v (Affected 0.9.8-0.9.8u) CVE-2012-0884 (OpenSSL advisory) 12 March 2012: A weakness in the OpenSSL CMS and PKCS #7 code can be exploited using Bleichenbacher's attack on PKCS #1 v1.5 RSA padding also known as the million message attack (MMA). Only users of CMS, PKCS #7, or S/MIME decryption operations are affected, SSL/TLS applications are not affected by this issue. Reported by Ivan Nestlerode. Fixed in OpenSSL 1.0.0h (Affected 1.0.0-1.0.0g)

Fixed in OpenSSL 0.9.8u (Affected 0.9.8-0.9.8t) CVE-2012-0050 (OpenSSL advisory) 04 January 2012: A flaw in the fix to CVE-2011-4108 can be exploited in a denial of service attack. Only DTLS applications are affected. Reported by Antonio Martin. Fixed in OpenSSL 1.0.0g (Affected 1.0.0f)

Fixed in OpenSSL 0.9.8t (Affected 0.9.8s) CVE-2012-0027 (OpenSSL advisory) 04 January 2012: A malicious TLS client can send an invalid set of GOST parameters which will cause the server to crash due to lack of error checking. This could be used in a denial-of-service attack. Only users of the OpenSSL GOST ENGINE are affected by this bug. Reported by Andrey Kulikov. Fixed in OpenSSL 1.0.0f (Affected 1.0.0-1.0.0e) CVE-2011-4619 (OpenSSL advisory) 04 January 2012: Support for handshake restarts for server gated cryptograpy (SGC) can be used in a denial-of-service attack. Reported by George Kadianakis. Fixed in OpenSSL 1.0.0f (Affected 1.0.0-1.0.0e)

Fixed in OpenSSL 0.9.8s (Affected 0.9.8-0.9.8r) CVE-2011-4577 (OpenSSL advisory) 04 January 2012: RFC 3779 data can be included in certificates, and if it is malformed, may trigger an assertion failure. This could be used in a denial-of-service attack. Builds of OpenSSL are only vulnerable if configured with "enable-rfc3779", which is not a default. Reported by Andrew Chi. Fixed in OpenSSL 1.0.0f (Affected 1.0.0-1.0.0e)

Fixed in OpenSSL 0.9.8s (Affected 0.9.8-0.9.8r) CVE-2011-4576 (OpenSSL advisory) 04 January 2012: OpenSSL failed to clear the bytes used as block cipher padding in SSL 3.0 records which could leak the contents of memory in some circumstances. Reported by Adam Langley. Fixed in OpenSSL 1.0.0f (Affected 1.0.0-1.0.0e)

Fixed in OpenSSL 0.9.8s (Affected 0.9.8-0.9.8r) CVE-2011-4109 (OpenSSL advisory) 04 January 2012: If X509_V_FLAG_POLICY_CHECK is set in OpenSSL 0.9.8, then a policy check failure can lead to a double-free. The bug does not occur unless this flag is set. Users of OpenSSL 1.0.0 are not affected Reported by Ben Laurie. Fixed in OpenSSL 0.9.8s (Affected 0.9.8-0.9.8r) CVE-2011-4108 (OpenSSL advisory) 04 January 2012: OpenSSL was susceptable an extension of the Vaudenay padding oracle attack on CBC mode encryption which enables an efficient plaintext recovery attack against the OpenSSL implementation of DTLS by exploiting timing differences arising during decryption processing. Reported by Nadhem Alfardan and Kenny Paterson. Fixed in OpenSSL 1.0.0f (Affected 1.0.0-1.0.0e)

Fixed in OpenSSL 0.9.8s (Affected 0.9.8-0.9.8r)

CVE-2011-3210 (OpenSSL advisory) 06 September 2011: OpenSSL server code for ephemeral ECDH ciphersuites is not thread-safe, and furthermore can crash if a client violates the protocol by sending handshake messages in incorrect order. Only server-side applications that specifically support ephemeral ECDH ciphersuites are affected, and only if ephemeral ECDH ciphersuites are enabled in the configuration. Reported by Adam Langley. Fixed in OpenSSL 1.0.0e (Affected 1.0.0-1.0.0d) CVE-2011-3207 (OpenSSL advisory) 06 September 2011: Under certain circumstances OpenSSL's internal certificate verification routines can incorrectly accept a CRL whose nextUpdate field is in the past. Applications are only affected by the CRL checking vulnerability if they enable OpenSSL's internal CRL checking which is off by default. Applications which use their own custom CRL checking (such as Apache) are not affected. Reported by Kaspar Brand. Fixed in OpenSSL 1.0.0e (Affected 1.0.0-1.0.0d) CVE-2011-0014 (OpenSSL advisory) 08 February 2011: A buffer over-read flaw was discovered in the way OpenSSL parsed the Certificate Status Request TLS extensions in ClientHello TLS handshake messages. A remote attacker could possibly use this flaw to crash an SSL server using the affected OpenSSL functionality. Reported by Neel Mehta. Fixed in OpenSSL 1.0.0d (Affected 1.0.0-1.0.0c)

Fixed in OpenSSL 0.9.8r (Affected 0.9.8h-0.9.8q)

CVE-2010-4252 (OpenSSL advisory) 02 December 2010: An error in OpenSSL's experimental J-PAKE implementation which could lead to successful validation by someone with no knowledge of the shared secret. The OpenSSL Team still consider the implementation of J-PAKE to be experimental and is not compiled by default. Reported by Sebastian Martini. Fixed in OpenSSL 1.0.0c (Affected 1.0.0-1.0.0b) CVE-2010-4180 (OpenSSL advisory) 02 December 2010: A flaw in the OpenSSL SSL/TLS server code where an old bug workaround allows malicious clients to modify the stored session cache ciphersuite. In some cases the ciphersuite can be downgraded to a weaker one on subsequent connections. This issue only affects OpenSSL based SSL/TLS server if it uses OpenSSL's internal caching mechanisms and the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG flag (many applications enable this by using the SSL_OP_ALL option). Reported by Martin Rex. Fixed in OpenSSL 1.0.0c (Affected 1.0.0-1.0.0b)

Fixed in OpenSSL 0.9.8q (Affected 0.9.8-0.9.8p) CVE-2010-3864 (OpenSSL advisory) 16 November 2010: A flaw in the OpenSSL TLS server extension code parsing which on affected servers can be exploited in a buffer overrun attack. Any OpenSSL based TLS server is vulnerable if it is multi-threaded and uses OpenSSL's internal caching mechanism. Servers that are multi-process and/or disable internal session caching are NOT affected. Reported by Rob Hulswit. Fixed in OpenSSL 1.0.0b (Affected 1.0.0-1.0.0a)

Fixed in OpenSSL 0.9.8p (Affected 0.9.8-0.9.8o) CVE-2010-1633 (OpenSSL advisory) 01 June 2010: An invalid Return value check in pkey_rsa_verifyrecover was discovered. When verification recovery fails for RSA keys an uninitialised buffer with an undefined length is returned instead of an error code. This could lead to an information leak. Reported by Peter-Michael Hager. Fixed in OpenSSL 1.0.0a (Affected 1.0.0) CVE-2010-0742 (OpenSSL advisory) 01 June 2010: A flaw in the handling of CMS structures containing OriginatorInfo was found which could lead to a write to invalid memory address or double free. CMS support is disabled by default in OpenSSL 0.9.8 versions. Reported by Ronald Moesbergen. Fixed in OpenSSL 1.0.0a (Affected 1.0.0)

Fixed in OpenSSL 0.9.8o (Affected 0.9.8h-0.9.8n) CVE-2010-0740 (OpenSSL advisory) 24 March 2010: In TLS connections, certain incorrectly formatted records can cause an OpenSSL client or server to crash due to a read attempt at NULL. Reported by Bodo Moeller and Adam Langley (Google). Fixed in OpenSSL 0.9.8n (Affected 0.9.8f-0.9.8m) CVE-2009-3245 23 February 2010: It was discovered that OpenSSL did not always check the return value of the bn_wexpand() function. An attacker able to trigger a memory allocation failure in that function could cause an application using the OpenSSL library to crash or, possibly, execute arbitrary code Reported by Martin Olsson, Neel Mehta. Fixed in OpenSSL 0.9.8m (git commit) (Affected 0.9.8-0.9.8l) CVE-2010-0433 19 January 2010: A missing return value check flaw was discovered in OpenSSL, that could possibly cause OpenSSL to call a Kerberos library function with invalid arguments, resulting in a NULL pointer dereference crash in the MIT Kerberos library. In certain configurations, a remote attacker could use this flaw to crash a TLS/SSL server using OpenSSL by requesting Kerberos cipher suites during the TLS handshake Reported by Todd Rinaldo, Tomas Hoger (Red Hat). Fixed in OpenSSL 0.9.8n (git commit) (Affected 0.9.8-0.9.8m) CVE-2009-4355 13 January 2010: A memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c allows remote attackers to cause a denial of service via vectors that trigger incorrect calls to the CRYPTO_cleanup_all_ex_data function. Reported by Michael K Johnson and Andy Grimm (rPath). Fixed in OpenSSL 0.9.8m (git commit) (Affected 0.9.8-0.9.8l)

CVE-2008-1672 (OpenSSL advisory) 28 May 2008: Testing using the Codenomicon TLS test suite discovered a flaw if the 'Server Key exchange message' is omitted from a TLS handshake in OpenSSL 0.9.8f and OpenSSL 0.9.8g. If a client connects to a malicious server with particular cipher suites, the server could cause the client to crash. Reported by codenomicon. Fixed in OpenSSL 0.9.8h (Affected 0.9.8f-0.9.8g) CVE-2008-0891 (OpenSSL advisory) 28 May 2008: Testing using the Codenomicon TLS test suite discovered a flaw in the handling of server name extension data in OpenSSL 0.9.8f and OpenSSL 0.9.8g. If OpenSSL has been compiled using the non-default TLS server name extensions, a remote attacker could send a carefully crafted packet to a server application using OpenSSL and cause it to crash. Reported by codenomicon. Fixed in OpenSSL 0.9.8h (Affected 0.9.8f-0.9.8g)

CVE-2007-5502 (OpenSSL advisory) 29 November 2007: The PRNG implementation for the OpenSSL FIPS Object Module 1.1.1 does not perform auto-seeding during the FIPS self-test, which generates random data that is more predictable than expected and makes it easier for attackers to bypass protection mechanisms that rely on the randomness. Reported by Geoff Lowe. Fixed in OpenSSL fips-1.1.2 (Affected fips-1.1.1) CVE-2007-5135 (OpenSSL advisory) 12 October 2007: A flaw was found in the SSL_get_shared_ciphers() utility function. An attacker could send a list of ciphers to an application that used this function and overrun a buffer with a single byte. Few applications make use of this vulnerable function and generally it is used only when applications are compiled for debugging. Reported by Moritz Jodeit. Fixed in OpenSSL 0.9.8f (Affected 0.9.8-0.9.8e) CVE-2007-4995 (OpenSSL advisory) 12 October 2007: A flaw in DTLS support. An attacker could create a malicious client or server that could trigger a heap overflow. This is possibly exploitable to run arbitrary code, but it has not been verified. Reported by Andy Polyakov. Fixed in OpenSSL 0.9.8f (Affected 0.9.8-0.9.8e)

CVE-2006-4343 (OpenSSL advisory) 28 September 2006: A flaw in the SSLv2 client code was discovered. When a client application used OpenSSL to create an SSLv2 connection to a malicious server, that server could cause the client to crash. Reported by openssl. Fixed in OpenSSL 0.9.8d (Affected 0.9.8-0.9.8c)

Fixed in OpenSSL 0.9.7l (Affected 0.9.7-0.9.7k) CVE-2006-3738 (OpenSSL advisory) 28 September 2006: A buffer overflow was discovered in the SSL_get_shared_ciphers() utility function. An attacker could send a list of ciphers to an application that uses this function and overrun a buffer. Reported by openssl. Fixed in OpenSSL 0.9.8d (Affected 0.9.8-0.9.8c)

Fixed in OpenSSL 0.9.7l (Affected 0.9.7-0.9.7k) CVE-2006-2940 (OpenSSL advisory) 28 September 2006: Certain types of public key can take disproportionate amounts of time to process. This could be used by an attacker in a denial of service attack. Reported by openssl. Fixed in OpenSSL 0.9.8d (Affected 0.9.8-0.9.8c)

Fixed in OpenSSL 0.9.7l (Affected 0.9.7-0.9.7k) CVE-2006-2937 (OpenSSL advisory) 28 September 2006: During the parsing of certain invalid ASN.1 structures an error condition is mishandled. This can result in an infinite loop which consumes system memory Reported by openssl. Fixed in OpenSSL 0.9.8d (Affected 0.9.8-0.9.8c)

Fixed in OpenSSL 0.9.7l (Affected 0.9.7-0.9.7k) CVE-2006-4339 (OpenSSL advisory) 05 September 2006: Daniel Bleichenbacher discovered an attack on PKCS #1 v1.5 signatures where under certain circumstances it may be possible for an attacker to forge a PKCS #1 v1.5 signature that would be incorrectly verified by OpenSSL. Reported by openssl. Fixed in OpenSSL 0.9.8c (Affected 0.9.8-0.9.8b)

Fixed in OpenSSL 0.9.7k (Affected 0.9.7-0.9.7j)

CVE-2005-2969 (OpenSSL advisory) 11 October 2005: A deprecated option, SSL_OP_MISE_SSLV2_RSA_PADDING, could allow an attacker acting as a "man in the middle" to force a connection to downgrade to SSL 2.0 even if both parties support better protocols. Reported by researcher. Fixed in OpenSSL 0.9.8a (Affected 0.9.8)

Fixed in OpenSSL 0.9.7h (Affected 0.9.7-0.9.7g)

CVE-2004-0975 30 September 2004: The der_chop script created temporary files insecurely which could allow local users to overwrite files via a symlink attack on temporary files. Note that it is quite unlikely that a user would be using the redundant der_chop script, and this script was removed from the OpenSSL distribution. Fixed in OpenSSL 0.9.7f (git commit) (Affected 0.9.7-0.9.7e)

Fixed in OpenSSL 0.9.6-cvs (Affected 0.9.6-0.9.6m) CVE-2004-0112 (OpenSSL advisory) 17 March 2004: A flaw in SSL/TLS handshaking code when using Kerberos ciphersuites. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server configured to use Kerberos ciphersuites in such a way as to cause OpenSSL to crash. Most applications have no ability to use Kerberos ciphersuites and will therefore be unaffected. Reported by OpenSSL group (Stephen Henson). Fixed in OpenSSL 0.9.7d (Affected 0.9.7a-0.9.7c) CVE-2004-0081 (OpenSSL advisory) 17 March 2004: The Codenomicon TLS Test Tool found that some unknown message types were handled incorrectly, allowing a remote attacker to cause a denial of service (infinite loop). Reported by OpenSSL group. Fixed in OpenSSL 0.9.6d (Affected 0.9.6-0.9.6c) CVE-2004-0079 (OpenSSL advisory) 17 March 2004: The Codenomicon TLS Test Tool uncovered a null-pointer assignment in the do_change_cipher_spec() function. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server that used the OpenSSL library in such a way as to cause a crash. Reported by OpenSSL group. Fixed in OpenSSL 0.9.7d (Affected 0.9.7-0.9.7c)

Fixed in OpenSSL 0.9.6m (Affected 0.9.6c-0.9.6l)

CVE-2003-0851 (OpenSSL advisory) 04 November 2003: A flaw in OpenSSL 0.9.6k (only) would cause certain ASN.1 sequences to trigger a large recursion. On platforms such as Windows this large recursion cannot be handled correctly and so the bug causes OpenSSL to crash. A remote attacker could exploit this flaw if they can send arbitrary ASN.1 sequences which would cause OpenSSL to crash. This could be performed for example by sending a client certificate to a SSL/TLS enabled server which is configured to accept them. Reported by Novell. Fixed in OpenSSL 0.9.6l (Affected 0.9.6k) CVE-2003-0545 (OpenSSL advisory) 30 September 2003: Certain ASN.1 encodings that were rejected as invalid by the parser could trigger a bug in the deallocation of the corresponding data structure, corrupting the stack, leading to a crash. Reported by NISCC. Fixed in OpenSSL 0.9.7c (Affected 0.9.7-0.9.7b) CVE-2003-0544 (OpenSSL advisory) 30 September 2003: Incorrect tracking of the number of characters in certain ASN.1 inputs could allow remote attackers to cause a denial of service (crash) by sending an SSL client certificate that causes OpenSSL to read past the end of a buffer when the long form is used. Reported by NISCC. Fixed in OpenSSL 0.9.7c (Affected 0.9.7-0.9.7b)

Fixed in OpenSSL 0.9.6k (Affected 0.9.6-0.9.6j) CVE-2003-0543 (OpenSSL advisory) 30 September 2003: An integer overflow could allow remote attackers to cause a denial of service (crash) via an SSL client certificate with certain ASN.1 tag values. Reported by NISCC. Fixed in OpenSSL 0.9.7c (Affected 0.9.7-0.9.7b)

Fixed in OpenSSL 0.9.6k (Affected 0.9.6-0.9.6j) CVE-2003-0131 (OpenSSL advisory) 19 March 2003: The SSL and TLS components allowed remote attackers to perform an unauthorized RSA private key operation via a modified Bleichenbacher attack that uses a large number of SSL or TLS connections using PKCS #1 v1.5 padding that caused OpenSSL to leak information regarding the relationship between ciphertext and the associated plaintext, aka the "Klima-Pokorny-Rosa attack" Fixed in OpenSSL 0.9.7b (Affected 0.9.7-0.9.7a)

Fixed in OpenSSL 0.9.6j (Affected 0.9.6-0.9.6i) CVE-2003-0147 (OpenSSL advisory) 14 March 2003: RSA blinding was not enabled by default, which could allow local and remote attackers to obtain a server's private key by determining factors using timing differences on (1) the number of extra reductions during Montgomery reduction, and (2) the use of different integer multiplication algorithms ("Karatsuba" and normal). Fixed in OpenSSL 0.9.7b (Affected 0.9.7-0.9.7a)

Fixed in OpenSSL 0.9.6j (Affected 0.9.6-0.9.6i) CVE-2003-0078 (OpenSSL advisory) 19 February 2003: sl3_get_record in s3_pkt.c did not perform a MAC computation if an incorrect block cipher padding was used, causing an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the "Vaudenay timing attack." Fixed in OpenSSL 0.9.7a (Affected 0.9.7)

Fixed in OpenSSL 0.9.6i (Affected 0.9.6-0.9.6h)