OpenSSL vulnerability discovered by SEARCH-LAB

SEARCH-LAB has recently discovered a vulnerability in OpenSSL, one of the most popular SSL implementation libraries. It vulnerability would only allow malicious server operators to crash DTLS (TLS over UDP) clients, which might lead into Denial of Service in software building on OpenSSL code, for e.g. VPN services.

The vulnerability, caused by endless recursion leading to stack overflow happens before the SSL/TLS handshake takes place, and affects all versions of OpenSSL up to and including 1.0.1g (and also in older branches up to and including 0.9.8y and 1.0.0l). Even though we have disclosed this vulnerability to the public only after it has been confirmed as fixed in the OpenSSL code repository, it might take some time until all affected programs using OpenSSL code apply the fix.