This morning a new OpenSSL advisory was announced: https://www.openssl.org/news/secadv_20140605.txt
After analysis, while there are no known exploits at this time, there seem to be some circumstances that lend themselves to such and CTSC urges those with the following circumstances to upgrade ASAP and everyone else to patch to the latest version of OpenSSL as soon as they can during normal business hours.
Circumstances dictating upgrade ASAP:
- Deployments where both the server and client are using OpenSSL 1.0.1
- Deployments using Datagram Transport Layer Security (DTLS)
Services that use SSL should be restarted after upgrading in order to load the new libraries.
Since web browsers in general don't use OpenSSL, the first case is most likely with other (e.g. command-line) applications. We expect the second case to be rare in the Grid community.
If your software is impacted, please let CTSC know so we can help communicate your fix.
- Globus: https://support.globus.org/entries/71973746
- Adam Langley: https://www.imperialviolet.org/2014/06/05/earlyccs.html
- ISC: https://isc.sans.edu/forums/diary/Critical+OpenSSL+Patch+Available+Patch+Now+/18211