The OpenSSL server has now been patched to fix a critical flaw which could be used to remotely execute code or cause an application to crash.
The vulnerability was found in the OpenSSL TLS server extension code parsing which could be exploited in a buffer overrun attack.
All versions of OpenSSL supporting TLS extensions are affected, including OpenSSL 0.9.8f to 0.9.8o, 1.0.0 and 1.0.0a releases, according to an OpenSSL security advisory.
"Any OpenSSL-based TLS server is vulnerable if it is multi-threaded and uses OpenSSL's internal caching mechanism," the advisory said. "Servers that are multi-process and/or disable internal session caching are NOT affected."
Apache HTTP server and Stunnel are not affected, according to the OpenSSL team.
The security response team at Red Hat, which uses OpenSSL in Enterprise Red Hat Linux, rated the flaw as 'important'.
"It may be possible for a remote attacker to trigger this race condition and cause such an application to crash, or possibly execute arbitrary code with the permissions of the application," said a Red Hat security advisory.
Users of all OpenSSL 0.9.8 releases from 0.9.8f to 0.9.8o should update to the OpenSSL 0.9.8p release which contains a patch to correct the issue.
Users of OpenSSL 1.0.0 and 1.0.0a should update to the OpenSSL 1.0.0b release which also contains a patch.
The health service must do more with less, and that is driving digital transformation
Leaks indicate that launch of AMD APUs with integrated Vega graphics is just around the corner
Facebook CISO Alex Stamos defends company over claims company network is 'run like a college campus'
Stamos explains: Facebook engineers enjoy a lot of autonomy, it's not disorganised and chaotic
HMRC refusal over VAT payment schedule forces 22-year-old computer reseller to the wall