Comment by pseudohadamard

I particularly like the FIPS bit:

>The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary.

"I hereby define the vulnerability to be outside the bit that I define to be secure, therefore we're not vulnerable".