The OpenSSL team released a critical security update today. The update patches 6 flaws. One of the flaws (CVE-2014-0195) may lead to arbitrary code execution. [1] All versions of OpenSSL are vulnerable to CVE-2014-0195, but this vulnerability only affects DTLS clients or servers (look for SSL VPNs… not so much HTTPS).
I also rated CVE-2014-0224 critical, since it does allow for MiTM attacks, one of the reasons you use SSL. But in order to exploit this issue, both client and server have to be vulnerable, and only openssl 1.0.1 is vulnerable on servers…
Read more at SANS ISC
