Michael K Johnson

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions 0.9.8l and earlier OpenSSL versions 1.0.0 Beta through Beta 4 OpenSSL versions prior to 1.0.0e **Description** The issue is related to multiple vulnerabilities in the OpenSSL package, which can lead to a breach of confidentiality, integrity, and availability of protected information. Exploitation of these vulnerabilities can be done remotely. A memory leak in the `zlib stateful finish` function in `crypto/comp/c zlib.c` allows remote attackers to cause a denial of service via vectors that trigger incorrect calls to the `CRYPTO cleanup all ex data` or `CRYPTO free all ex data` functions. This can be demonstrated by the use of SSLv3 and PHP with the Apache HTTP Server. **Recommendations** For OpenSSL versions 0.9.8l and earlier, update to a version later than 0.9.8l to resolve the issue. For OpenSSL versions 1.0.0 Beta through Beta 4, update to a version later than Beta 4 to resolve the issue. For OpenSSL versions prior to 1.0.0e, update to version 1.0.0e or later to resolve the issue. As a temporary workaround, consider restricting access to the `zlib stateful finish` function in `crypto/comp/c zlib.c` until a patch is available.