The OpenSSL Project patched vulnerabilities in OpenSSL with the release of versions 1.1.0a, 1.0.2i and 1.0.1u.
The latest versions of the cryptographic software library fix one high severity issue. The flaw, tracked as CVE-2016-6304, can end up exploited for denial-of-service (DoS) attacks by sending the targeted server a huge OCSP Status Request extension that causes memory exhaustion.
The OpenSSL Project said the security hole affects servers in their default configuration even if they don’t support OCSP, but builds using the “no-ocsp” option do not suffer from the issue. Furthermore, servers using OpenSSL prior to 1.0.1g are not vulnerable in their default configuration.
The vulnerability came to OpenSSL developers by Shi Lei, a researcher at Chinese security firm Qihoo 360.
OpenSSL 1.1.0, which launched less than a month ago, has a moderate severity flaw (CVE-2016-6305) an attacker could leverage for DoS attacks.
Twelve low severity vulnerabilities also ended up fixed in the latest versions of OpenSSL.