The OpenSSL Project has issued patches to fix flaws that could leave secure servers open to denial of service attacks. These vulnerabilities have been fixed in OpenSSL 0.9.6m and 0.9.7d, available from the project’s web site.
OpenSSL is an open source toolkit implementing the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, and is used in security products from numerous vendors. Cisco has already released an advisory for customers, while Oracle and Symantec say none of their OpenSSL-based products are affected. OpenSSL is also used in products from IBM, FreeBSD, Red Hat, SUSE and others. The advisory from UK’s National Infrastructure Security Co-ordination Centre (NISCC) includes an updated list of vendor responses.
Last summer the NISCC identified several similar vulnerabilities in OpenSSL. In December, Oracle issued a critical update to address security holes in its implementation of OpenSSL.