Two vulnerabilities have been reported in OpenSSL, which can be exploited by malicious people to bypass certain security restrictions and cause a Denial of Service, according to Secunia.
1. An error within OpenSSL’s internal certificate verification can lead to OpenSSL accepting CRL (Certificate Revocation Lists) with a “nextUpdate” field set to a date in the past.
2. An error within the implementation of ephemeral ECDH ciphersuites can be exploited to crash a vulnerable server by sending handshake messages within an invalid order.
Successful exploitation of this vulnerability requires that the server enabled and supports the ECDH ciphersuites.
NOTE: Additionally, the ECDH implementation is not thread safe.
The vulnerabilities are reported in versions 1.0.0 through 1.0.0d.
Solution: Update to version 1.0.0e.