The ssl_set_client_disabled function in t1_lib.c in OpenSSL 1.0.1 before 1.0.1i allows remote SSL servers to cause a denial of service (NULL pointer dereference and client application crash) via a ServerHello message that includes an SRP ciphersuite without the required negotiation of that ciphersuite with the client. (CVE-2014-5139)
Impact
An attacker may be able to cause a denial-of-service (DoS) attack by specifying a Secure Remote Password (SRP) ciphersuite, even if it was not properly negotiated with the client.