The new OpenSSL patch I’ve written about yesterday is now released. Shortly before the release they had to fix another issue within the OpenSSL patches which are now released.

You can find new Version here: http://openssl.org/source/ – the packages for most linux distributions are probably in the work right now. (Check relevant links below)

As the website of OpenSSL doesn’t spit out the security advisory right now, here they are: openssl_secadv_20150319

The highest classified vulnerability is a DoS vulnerability in ClientHello which only seems to affect OpenSSL Version 1.0.2 – users should upgrade to 1.0.2a.

If a client connects to an OpenSSL 1.0.2 server and renegotiates with an invalid signature algorithms extension a NULL pointer dereference will occur. This can be exploited in a DoS attack against the server. – OpenSSL Announcement

In advance, they’re re-rated the issue “RSA silently downgrades to EXPORT_RSA” which is now high severity (previously low).

Relevant Links:

– SANS ISC

– Original OpenSSL Security Advisory

– Debian CVE