Brice Canvel

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions prior to 0.9.6i OpenSSL versions prior to 0.9.7a OpenSSL-0.9.5a OpenSSL-0.9.6b OpenSSL-devel-0.9.5a OpenSSL-devel-0.9.6b OpenSSL-devel-0.9.6 ssleay (affected versions not specified) **Description** The issue is related to multiple vulnerabilities in the OpenSSL package, which can lead to a breach of confidentiality, integrity, and availability of protected information. These vulnerabilities can be exploited remotely. The problem lies in the ssl3 get record function in s3 pkt.c, which does not perform a MAC computation if an incorrect block cipher padding is used, causing an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks. This could potentially lead to the extraction of the original plaintext. **Recommendations** For OpenSSL versions prior to 0.9.6i and 0.9.7a, update to a version that includes the fix for the ssl3 get record function issue. For OpenSSL-0.9.5a, OpenSSL-0.9.6b, OpenSSL-devel-0.9.5a, OpenSSL-devel-0.9.6b, and OpenSSL-devel-0.9.6, consider disabling the ssl3 get record function as a temporary workaround until a patch is available. For ssleay, at the moment, there is no information about a newer version that contains a fix for this vulnerability.