The medium severity vulnerability tracked as CVE-2017-3736 was addressed with the release of OpenSSL 1.1.0g and 1.0.2m. The OpenSSL development team believe that trigger the issue in a real scenario attack is difficult due to the significant effort needed.

The second flaw, tracked as CVE-2017-3735, was patched with the release of OpenSSL 1.1.0g and 1.0.2m, it is a low severity issue that could lead to an out-of-bounds (OOB) read.

Both vulnerabilities were discovered using OSS-Fuzz, an open source fuzzing service launched by Google in December.