RE: CVE-2014-0198: SSL_MODE_RELEASE_BUFFERS NULL pointer dereference

That is the value for the flag, it does not say whether or not it is enabled. To enable it you need to call something like SSL_CTX_set_options() with that flag passed in. -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter: Rich

CVE-2014-0198: SSL_MODE_RELEASE_BUFFERS NULL pointer dereference

Hello, I have a question about the following statement in advisory notice http://www.openssl.org/news/secadv_20140605.txt regarding CVE-2014-0198. This flaw only affects OpenSSL 1.0.0 and 1.0.1 where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and not common. I am using OpenS