OpenSSL security patch for DROWN

A cross-protocol attack was discovered that could lead to decryption of TLS
sessions by using a server supporting SSLv2 and EXPORT cipher suites as a
Bleichenbacher RSA padding oracle.  Note that traffic between clients and
non-vulnerable servers can be decrypted provided another server supporting
SSLv2 and EXPORT ciphers (even with a different protocol such as SMTP, IMAP
or POP3) shares the RSA keys of the non-vulnerable server.  This vulnerability
is known as DROWN.  [CVE-2016-0800]

A double free bug was discovered when OpenSSL parses malformed DSA private
keys and could lead to a DoS attack or memory corruption for applications that
receive DSA private keys from untrusted sources.  This scenario is considered
rare.  [CVE-2016-0705]

The SRP user database lookup method SRP_VBASE_get_by_user had confusing memory
management semantics; the returned pointer was sometimes newly allocated, and
sometimes owned by the callee.  The calling code has no way of distinguishing
these two cases.  [CVE-2016-0798]

In the BN_hex2bn function, the number of hex digits is calculated using an int
value |i|.  Later |bn_expand| is called with a value of |i * 4|.  For large
values of |i| this can result in |bn_expand| not allocating any memory because
|i * 4| is negative.  This can leave the internal BIGNUM data field as NULL
leading to a subsequent NULL pointer dereference.  For very large values of
|i|, the calculation |i * 4| could be a positive value smaller than |i|.  In
this case memory is allocated to the internal BIGNUM data field, but it is
insufficiently sized leading to heap corruption.  A similar issue exists in
BN_dec2bn.  This could have security consequences if BN_hex2bn/BN_dec2bn is
ever called by user applications with very large untrusted hex/dec data.  This
is anticipated to be a rare occurrence.  [CVE-2016-0797]

The internal |fmtstr| function used in processing a "%s" formatted string in
the BIO_*printf functions could overflow while calculating the length of
a string and cause an out-of-bounds read when printing very long strings.
[CVE-2016-0799]

A side-channel attack was found which makes use of cache-bank conflicts on the
Intel Sandy-Bridge microarchitecture which could lead to the recovery of RSA
keys. [CVE-2016-0702]

s2_srvr.c did not enforce that clear-key-length is 0 for non-export ciphers.
If clear-key bytes are present for these ciphers, they displace encrypted-key
bytes.  [CVE-2016-0703]

s2_srvr.c overwrites the wrong bytes in the master key when applying
Bleichenbacher protection for export cipher suites.  [CVE-2016-0704]

Obtained from: OpenSSL & FreeBSD