Memory leak in d1_srtp.c in the DTLS SRTP extension in OpenSSL 1.0.1 before 1.0.1j allows remote attackers to cause a denial-of-service (memory consumption) via a crafted handshake message.
For more information, see
CVE-2014-3513.
CVE-2014-3566
SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding. This padding makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-Oracle attack, such as the POODLE issue.
For more information, see
CVE-2014-3566.
CVE-2014-3567
Memory leak in the tls_decrypt_ticket function in t1_lib.c in OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j allows remote attackers to cause a denial-of-service (memory consumption). The denial-of-service is caused via a crafted session ticket that triggers an integrity-check failure.
For more information, see
CVE-2014-3567.
CVE-2014-3568
OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j does not properly enforce the no-ssl3 build option. This fact allows remote attackers to bypass intended access restrictions via an SSL 3.0 handshake, related to s23_clnt.c and s23_srvr.c.
For more information, see
CVE-2014-3568.