1. Floren
    National Vulnerability Database issued CVE-2010-5298: A 4 years old race condition was discovered recently in the s3_pkt.c ssl3_read_bytes function for all versions of OpenSSL, including 1.0.1g. When SSL_MODE_RELEASE_BUFFERS is enabled, it allows remote attackers to inject data across sessions or cause a denial of service (use-after-free and parsing error) via an SSL connection in a multithreaded environment.

    OpenBSD developer Ted Unangst was looking over the OpenSSL source to find ways of dealing with the Heartbleed issue when he discovered that the package featured a number of exploit mitigation countermeasures. When he disabled those countermeasures, OpenSSL ceased to function.

    A ticket was open in 2010 into OpenSSL tracker, but unfortunately ignored. Technically, a remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service. With the recent Heartbleed attention, most major distributions decided to implement the patch, except Red Hat. In RHEL 6, the only package having enabled SSL_MODE_RELEASE_BUFFERS is tog-pegasus, which explains the low level priority.

    Please be aware that Nginx is the most common application which this bug has a direct impact. We already patched the OpenSSL packages in AXIVO repository, please update ASAP your server software.
    MattW likes this.