Red Hat warns of hole in OpenSSL

“In an advisory, Linux distributor Red Hat has warned that a
security vulnerability in OpenSSL can potentially be remotely
exploited to break into a server. Affected versions include OpenSSL
0.9.8f to 0.9.8o, 1.0.0 and 1.0.0a. Updating to OpenSSL 0.9.8p or
1.0.0b closes the hole.

“The problem is caused by a race condition in the OpenSSL code
for parsing TLS extensions. In certain circumstances a heap
overflow can potentially be triggered if multiple sessions try to
set a host name via a TLS extension. This allows attackers to
inject up to 255 bytes of code into the application’s heap and to
execute it.”

Complete Story