Hi, Reading the CVE-2014-5139 description,
The issue affects OpenSSL clients and allows a malicious server to crash the client with a null pointer dereference (read) by specifying an SRP ciphersuite even though it was not properly negotiated with the client. This can be exploited through a Denial of Service attack. OpenSSL 1.0.1 SSL/TLS client users should upgrade to 1.0.1i. can someone please clarify whether or not this vulnerability affects 1.0.1 clients which explicitly disable SRP ciphers via SSL_CTX_set_cipher_list? I appreciate your help. Thanks and Best Regards, Henning ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
