OpenSSL core team informed about a new vulnerability in OpenSSL based TLS server. Users of all OpenSSL 0.9.8 are invited to upgrade immediately to OpenSSL 0.9.8p, in which the bug has been fixed. And Users of OpenSSL 1.0.0 and 1.0.0a are also invited to upgrade to 1.0.0b.

If upgrading is not immediately possible, you can use the relevant source code patch provided at the advisory. As reported in the announcement only multi-threaded programs that uses caching mechanism built into OpenSSL are vulnerable. In particular the Apache HTTP server (which never uses OpenSSL internal caching) and Stunnel (which includes its own workaround) are NOT affected.

For more information you can read the Security Advisory:
http://www.openssl.org/news/secadv_20101116.txt

make sure you subscribe to my RSS feed!