The OpenSSL Project has released updates for the popular eponymous open-source library that implements the SSL and TLS protocols.
The new releases – 1.0.1k, 1.0.0p and 0.98zd – fix 8 vulnerabilities in all, two of which have been classified as moderate, and can lead to Denial Of Service attacks.
The first one has been spotted by Cisco Systems researcher Markus Stenberg late last year, and can be exploited by an attacker by crafting a special DTLS message that can cause a segmentation fault in OpenSSL due to a NULL pointer dereference.
The second one was discovered on Wednesday by researcher Chris Mueller, who also provided an initial patch. It’s a memory leak vulnerability that can be misused to trigger memory exhaustion and, consequently, denial of service.
Among the low-graded vulnerabilities are one that can lead to removal of forward secrecy from the ciphersuite, and one that allows server authentication without the use of a private key. Most of these low-level vulns are difficult to exploit.
Updating you OpenSSL library is advised, but there is no particular rush.
Check out the security advisory for more details about the vulnerabilities.
As a side note: support for OpenSSL versions 1.0.0 and 0.9.8 is scheduled to stop on December 31, 2015. It’s never too early to consider upgrading to the latest version (1.0.1).