It was found that an attacker could force OpenSSL to leak memory and never free it via DTLS packets.
External References: https://www.openssl.org/news/secadv_20140806.txt
Upstream commit: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d0a4b7d1a2948fce38515b8d862f43e7ba0ebf74
Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1127704]
Created mingw-openssl tracking bugs for this issue: Affects: fedora-all [bug 1127705]
Created mingw-openssl tracking bugs for this issue: Affects: epel-7 [bug 1127709]
This did not affect openssl packages in Red Hat Enterprise Linux 5 (based on upstream 0.9.8e) and openssl 1.0.0 packages in Red Hat Enterprise Linux 6 (i.e. packages released before RHBA-2013:1585, which rebased openssl from 1.0.0 to 1.0.1e). Issue was introduced upstream in versions 0.9.8o and 1.0.0a via the following change: https://rt.openssl.org/Ticket/Display.html?id=2230&user=guest&pass=guest https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=c713a4c https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1507f3a
openssl-1.0.1e-39.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
openssl-1.0.1e-39.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
IssueDescription: A flaw was discovered in the way OpenSSL handled DTLS packets. A remote attacker could use this flaw to cause a DTLS server or client using OpenSSL to crash or use excessive amounts of memory.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2014:1052 https://rhn.redhat.com/errata/RHSA-2014-1052.html
This issue has been addressed in following products: Red Hat Storage 2.1 Via RHSA-2014:1054 https://rhn.redhat.com/errata/RHSA-2014-1054.html
Statement: This did not affect openssl packages in Red Hat Enterprise Linux 5 (based on upstream 0.9.8e) and openssl 1.0.0 packages in Red Hat Enterprise Linux 6 (i.e. packages released before RHBA-2013:1585, which rebased openssl from 1.0.0 to 1.0.1e). The issue was introduced upstream in versions 0.9.8o and 1.0.0a.