The OpenSSL development team has released the Security Advisory , which talks about 9 new vulnerabilities in OpenSSL, and strongly recommends updating:
OpenSSL 0.9.8 users to version 0.9.8zb
Users of OpenSSL 1.0.0 to version 1.0.0n
OpenSSL 1.0.1 users up to version 1.0.1i
Fixed vulnerabilities:
Information leak in pretty printing functions (CVE-2014-3508) - leads to a leak of information from the stack when using the functions of "beautiful" output.
Crash with SRP ciphersuite in Server Hello message (CVE-2014-5139) - causes the client to crash (due to null pointer dereference) if the server will use SRP ciphersuite.
Race condition in ssl_parse_serverhello_tlsext (CVE-2014-3509) - the attacker's server can write up to 255 bytes on the client.
Double Free when processing DTLS packets (CVE-2014-3505) - causes the client to crash if the server sends a specially-formed DTLS packet.
DTLS memory exhaustion (CVE-2014-3506) - results in increased memory consumption when processing DTLS packets.
DTLS memory leak from zero-length fragments (CVE-2014-3507) - leads to a memory leak when sending a specially formed DTLS packet.
OpenSSL DTLS anonymous EC (DH) denial of service (CVE-2014-3510) - causes the client to crash if the server uses an anonymous EC (DH) and sends a handshake in a special way.
The OpenSSL TLS protocol downgrade attack (CVE-2014-3511) allows you to downgrade the connection to a TLS 1.0 MiTM attacker.
SRP buffer overrun (CVE-2014-3512) - allows you to overflow the internal SRP processing buffer.
If your system uses packet splitting, remember to update libssl , not just openssl itself. Naturally, applications using openssl must be restarted. If you have Debian, you can use the checkrestart utility from debian-goodies.