CVE-2016-2105

Name	CVE-2016-2105
Description	Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
References	DLA-456-1, DSA-3566-1
NVD severity	medium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
openssl (PTS)	jessie	1.0.1t-1+deb8u8	fixed
	jessie (security)	1.0.1t-1+deb8u9	fixed
	stretch (security), stretch	1.1.0f-3+deb9u2	fixed
	buster	1.1.0h-4	fixed
	sid	1.1.1-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin
openssl	source	(unstable)	1.0.2h-1	medium
openssl	source	jessie	1.0.1k-3+deb8u5	medium	DSA-3566-1
openssl	source	wheezy	1.0.1e-2+deb7u21	medium	DLA-456-1

Notes

Fixed in master in https://git.openssl.org/?p=openssl.git;a=commit;h=ee1e3cac2e83abc77bcc8ff98729ca1e10fcc920
https://www.openssl.org/news/secadv/20160503.txt