OpenSSL released a patch on 22nd September 2016 to address a lot of security holes. But four days later, with a security advisory, the team announced that this patch contains a critical flaw; the issue only affects OpenSSL 1.1.0a.
Using their own words:
“The patch applied to address CVE-2016-6307 resulted in an issue where if a
message larger than approx 16k is received then the underlying buffer to store
the incoming message is reallocated and moved. Unfortunately a dangling pointer
to the old location is left which results in an attempt to write to the
previously freed location. This is likely to result in a crash, however it
could potentially lead to execution of arbitrary code.”
Robert Święcki, who works for Google Security Team, was the first reporting the issue to OpenSSL Project.
Of course, developers released a fixed version, 1.1.0b, which every 1.1.0 user should install to avoid critical problems. In that security advisory, they also announced a fixed version of 1.0.2i, in which CRL sanity check was omitted. Users of 1.0.2i should upgrade to 1.0.2j.
