There was actually 7 CVE announced today for OpenSSL
The MITM one... being the highest problem, the other 6 were all DoS attack vectors, causing the machine to run out of resources.
This one appears it was traced back to the same guy that did the Heartbleed... also, this isn't *REALLY* that big of a threat. Considering BOTH the Server *AND* the Client have to have matching versions and essentially same comile time options for it to function properly for the MITM to work.
But considering RHEL v5 and v6 are mostly used without recompiling the binary releases... you get this. The other thing is that OpenSSL is used in Android, they used the default compile options for Android's processors which closely matches that for 32-bit and 64-bit runtimes.
It isn't just RHEL/CentOS, it is Ubuntu, Debian, SuSE... etc. All having this issue.
But again, the MITM attack has to have both the Server *AND* the Client running same versions.
So it is *NO WHERE* close to Heartbleed in scope and range.
This one appears it was traced back to the same guy that did the Heartbleed... also, this isn't *REALLY* that big of a threat. Considering BOTH the Server *AND* the Client have to have matching versions and essentially same comile time options for it to function properly for the MITM to work.
But considering RHEL v5 and v6 are mostly used without recompiling the binary releases... you get this. The other thing is that OpenSSL is used in Android, they used the default compile options for Android's processors which closely matches that for 32-bit and 64-bit runtimes.
It isn't just RHEL/CentOS, it is Ubuntu, Debian, SuSE... etc. All having this issue.
But again, the MITM attack has to have both the Server *AND* the Client running same versions.
So it is *NO WHERE* close to Heartbleed in scope and range.