We have updated our version of OpenSSL to 1.1.0h with the last release of the legacy client (v82) and 1.0.2p for the current stable client (v1.0 and up), which secures us and you against the vulnerabilities. The vulnerabilities that were fixed by the upgrade to 1.01h are listed below:
- SSL/TLS MITM vulnerability (CVE-2014-0224)
- DTLS recursion flaw (CVE-2014-0221)
- DTLS invalid fragment vulnerability (CVE-2014-0195)
- SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-019)
- SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298)
- Anonymous ECDH denial of service (CVE-2014-3470)
At this time, there are no reported vulnerabilities with this version of OpenSSL.