OpenSSL version 1.1.0c has been issued to combat vulnerabilities in previous versions of the toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols, according to an OpenSSL advisory.
Some of the flaws could enable an attacker to instigate a denial-of-service situation.
The severity of a heap-buffer-overflow (CVE-2016-7054) was ranked “High.” The bug could open a path for a DoS attack by corrupting larger payloads, resulting in an OpenSSL crash, the advisory stated.
Owing to another bug ranked “Moderate” (CVE-2016-7053), applications parsing invalid CMS structures can crash with a NULL pointer dereference.
“There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure that handles input lengths divisible by, but longer than 256 bits,” the advisory stated. This third flaw (CVE-2016-7055), ranked “Low,” could serve incorrect results.
With support for OpenSSL version 1.0.1 ceasing on Dec. 31, after which no security updates for that version will be issued, users of 1.0.1 are advised to upgrade.