Virtual Directory Server is not affected by the DTLS and SSL_MODE_RELEASE_BUFFER vulnerabilities in this advisory.
The following is a summary of our findings for these specific velnerabilities:
DTLS recursion flaw (CVE-2014-0221)
====================================
Only affected if the customer does custom development (we do not use DTLS)
DTLS invalid fragment vulnerability (CVE-2014-0195)
====================================================
Only affected if the customer does custom development (we do not use DTLS)
SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198)
=================================================================
Only affected in version 1.0.0 and using SSL_MODE_RELEASE_BUFFERS (we do not use it)
SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298)
===============================================================================
Only affected in version 1.0.0 and using SSL_MODE_RELEASE_BUFFERS (we do not use it)
Anonymous ECDH denial of service (CVE-2014-3470)
================================================
Affected but can be avoided by deselecting the anonymous Elliptic Curve Cipher Suites (from supported ciphers just remove it from the list, or create a list without this cipher as probably the list could be too high).
To check the list of ciphers affected:
openssl ciphers -v |grep ECDH
SSL/TLS MITM vulnerability (CVE-2014-0224)
===========================================
Affected
Can result in a MIM being able to decrypt SSL protected traffic