David Carlin

**Name of the Vulnerable Software and Affected Versions** Apache Traffic Server versions 9.0.0 through 9.2.8 Apache Traffic Server versions 10.0.0 through 10.0.3 **Description** The issue is an Expected Behavior Violation vulnerability in Apache Traffic Server. Users are advised to upgrade to resolve the issue. **Recommendations** For Apache Traffic Server versions 9.0.0 through 9.2.8, upgrade to version 9.2.9 or newer. For Apache Traffic Server versions 10.0.0 through 10.0.3, upgrade to version 10.0.4 or newer.

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions prior to 1.0.1j OpenSSL versions 1.0.1 **Description** The issue concerns multiple vulnerabilities in the OpenSSL package that can be exploited remotely, potentially leading to breaches in confidentiality, integrity, and availability of protected information. A specific flaw in the `ssl get algorithm2` function can cause a denial of service (daemon crash) via crafted traffic from a TLS 1.2 client. The estimated number of potentially affected devices worldwide is not specified. There is no information provided about real-world incidents where this issue was exploited. **Recommendations** For OpenSSL versions prior to 1.0.1j, update to version 1.0.1j or later to resolve the issue. For OpenSSL version 1.0.1, consider disabling the `ssl get algorithm2` function as a temporary workaround until a patch is available. Restrict access to TLS 1.2 clients to minimize the risk of exploitation.