So the 1.0.1f released fixed 3 CVEs. The links on http://www.openssl.org/news/vulnerabilities.html suggest that the following commits are needed: CVE-2013-4353: 197e0ea817ad64820789d86711d55ff50d71f631
CVE-2013-6450: 34628967f1e65dc8f34e000f0f5518e21afbfc7b CVE-2013-6449: ca989269a2876bae79393bd54c3e72d49975fc75 As can been seen in RT #3214, applying only 34628967f1e65dc8f34e000f0f5518e21afbfc7b for CVE-2013-6450 will result in different crashes and you also need a6c62f0c25a756c263a80ce52afbae888028e986 For CVE-2013-6449 people have also been saying that you need 0294b2be5f4c11e60620c0018674ff0e17b14238. At least both commits originate from the same bug report. Could you please clarify things? Kurt ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org