You can’t have missed it, a vulnerability in OpenSSL’s SL_get_shared_ciphers() function has been discovered.
All vendors have pushed a fixed version of the library, and some of them tagged the vulnerability as critical.
What package does it affect? Does it affect Apache SSL and OpenSSH?
Okay, calm down, here’s a quote from Phillip Guenther from the OpenBSD team:
“The only code in the main OpenBSD tree that calls SSL_get_shared_ciphers() is the openssl(1) utility’s s_client and s_server modes. However, that code passes the function a buffer of size BUFSIZ (== 1024) while the complete list of ciphers is only 666 bytes, so it’s impossible to hit the overflow there.
The only other code that I’ve ever seen that calls that function is the perl Net::SSLeay module, which simply provides access to OpenSSL functions from perl. Maybe there’s a perl script out there that uses that, but I haven’t seen one.
The function itself is almost useless; the only reason I can think to call it would be if you were debugging the cipher selection algorithm in OpenSSL.”