Last week's set of security patches for the popular open source crypto library OpenSSL created a new critical vulnerability requiring an emergency fix.
The vulnerability only affects version 1.1.0.a. The OpenSSL security team said it was caused by a patch to fix the CVE-2016-6307 large message sizes bug, which was rated as low severity.
Robert Swiecki of Google's security team discovered that the fix for CVE-2016-6307 left a dangling pointer in the code, which references the wrong memory location and creates a critical security vulnerability.
This results in an attempt at writing to a previously freed memory location and is likely to lead to OpenSSL crashing, potentially allowing for the execution of arbitrary code by malicious actors.
A second coding mistake in last week's patches saw a Certificate Revocation List sanity check being omitted in OpenSSL version 1.0.2i. Using CRLs will crash OpenSSL 1.0.2i with a null pointer exception, creating a vulnerability rated as moderate.
The OpenSSL project said users with version 1.1.0 of the crypto library should upgrade to 1.1.0b, and users with version 1.0.2i should upgrade to 1.0.2j.
