New, patched versions of the OpenSSL server have been released on Tuesday in order to close down a hole that could allow attackers to execute a DoS attack and remote arbitrary code.
According to the security advisory released by the OpenSSL security team, the vulnerability affects all versions of OpenSSL supporting TLS extensions – including 0.9.8f through 0.9.8o, 1.0.0, 1.0.0a releases.
“Any OpenSSL based TLS server is vulnerable if it is multi-threaded and uses OpenSSL’s internal caching mechanism. Servers that are multi-process and/or disable internal session caching are NOT affected,” points out the team. “In particular the Apache HTTP server (which never uses OpenSSL internal caching) and Stunnel (which includes its own workaround) are NOT affected.”
The Red Hat Security Response Team also acknowledged the vulnerability, and offered updated openssl packages for Red Hat Enterprise Linux 6.