3 https://rt.openssl.org/Ticket/Display.html?id=3339
7 description=NULL pointer dereference in PKCS7_dataDecode could cause a
8 crash. But note this flaw is in an undocumented API with no known use
13 ------------------------------------------------------------
16 https://rt.openssl.org/Ticket/Display.html?id=2608
20 description=A flaw in the base64 decoder which could cause a
21 negative length to be passed to memcpy. This will likely cause
22 a crash if an attacker can cause OpenSSL to parse untrusted
23 base64 encoded content.
27 ------------------------------------------------------------
30 source=http://marc.info/?l=openssl-dev&m=139905714829179&w=2
33 http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0198
34 https://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=3321
36 Affects 1.0.0* 1.0.1* (not 0.9.8*)
38 Only where an app enables SSL_MODE_RELEASE_BUFFERS
40 patched in git https://github.com/openssl/openssl/commit/3ef477c69f2fd39549123d7b0b869029b46cf989
42 ------------------------------------------------------------
44 Ben: So, there's the patch sitting in the internal repo. The reporters
45 suspect its a non problem because the BUF_mem system allocates enough
46 spare memory to avoid an overflow, but I have not had time to verify
49 ------------------------------------------------------------
51 Ben: And then there's the triple-handshake issue:
52 https://secure-resumption.com/ - first reported in March, but Apple
53 have just released a fix, so expect some PR around it.
55 Probably only an issue for client certs with MITM
57 ------------------------------------------------------------
60 reported=20140509 (cloudflare)
62 primes from RSA keys are left on the heap (which gave heartbleed
63 a more serious consequence). Not a vuln, but worthy hardening fix
65 ------------------------------------------------------------