OpenSSL has released security updates to address several vulnerabilities that impact previous versions of OpenSSL 1.1.0 and 1.0.2.
One of the vulnerabilities (CVE-2018-0739) could result in denial of service (DoS) condition if exploited:
“Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe,” according to the advisory.
Another moderate severity vulnerability (CVE-2018-0733) was also addressed related to an implementation bug (CVE-2017-3738) in the PA-RISC CRYPTO_memcmp function, as well as a low severity overflow bug.
OpenSSL 1.1.0 and OpenSSL 1.0.2 users should upgrade to latest OpenSSL versions 1.1.0h and 1.0.2o respectively.