Hi, > Package : openssl > CVE ID : CVE-2014-0195 CVE-2014-0221 CVE-2014-0224 CVE-2014-3470
is it intentional that you didn't fix CVE-2014-0198 and CVE-2010-5298? The OpenSSL advisory is quite misleading with this: | where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and | not common. SSL_MODE_RELEASE_BUFFERS is just an option one can enable at runtime using SSL_CTX_set_mode() or SSL_set_mode() which happens to not be enabled by default when you instantiate an SSL context or connection object, but is not all that uncommon to be used for scalability purposes. Apache 2.4, for example, has code to enable it (don't know exactly when it was merged, but the version in wheezy seems to not have it yet) if you set MaxMemFree to some non-zero value (zero being the default), nginx seems to enable it unconditionally, even in the wheezy version, and I suspect there are more. Regards, Florian -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140605144635.ga12...@florz.florz.dyndns.org