OpenSSL received fixes for a slew of vulnerabilities that could lead to leaking of information, crashing of the client or downgrade to a lower version of the security protocol.
One of the flaws in the OpenSSL SSL/TLS server code, which ended up discovered by David Benjamin and Adam Langley from Google, could allow a potential attacker to negotiate the use of the less secure TLS 1.0 instead of a higher version of the protocol.
This would occur when a badly fragmented “ClientHello” message delivers to a server during a man-in-the-middle attack, forcing the downgrade by changing the TLS records of the client, even if the client and the server include support for a more recent version of the protocol.
Denial of service (DoS) attacks could end up conducted by sending malcrafted DTLS packets that would lead to memory leak; the same could happen when processing DTLS handshake messages.
While researchers from Google, LogMeIn, Codenomicon and NCC Group reported the most recent issues, none of the vulnerabilities come close to the severity of the Heartbleed bug uncovered by Codenomicon in April.
Having said that, administrators should upgrade to the latest version of the OpenSSL library (0.9.8zb, 1.0.0n or 1.0.1i) as soon as possible.