After the Heartbleed vulnerability, more security researchers have turned their attention toward reviewing OpenSSL. Now it\u2019s time to patch again, but the most alarming\/bizarre part of the story is that one of the critical vulnerabilities in OpenSSL has been gone undetected since December 1998.If you\u2019re looking for a positive slant to another critical hole being discovered in open source encryption software, then it would have to be that more researchers will likely keep digging into OpenSSL code. In the long run, that should make encryption more secure. In order to Reset the Net and reclaim our privacy, we need to encrypt everything.The patch released by the OpenSSL team today will close that hole along with five other flaws. \u201cAn attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL\/TLS clients and servers,\u201d states the OpenSSL security advisory in regards to CVE-2014-0224. \u201cThis can be exploited by a man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server.\u201dThe attack can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.OpenSSL 0.9.8 SSL\/TLS users (client and\/or server) should upgrade to 0.9.8za.OpenSSL 1.0.0 SSL\/TLS users (client and\/or server) should upgrade to 1.0.0m.OpenSSL 1.0.1 SSL\/TLS users (client and\/or server) should upgrade to 1.0.1h.In a post explaining how he discovered the CCS injection vulnerability (CVE-2014-0224), security researcher Masashi Kikuchi wrote that the ChangeCipherSpec (CCS) bug \u201chas existed since the very first release of OpenSSL. The biggest reason why the bug hasn\u2019t been found for over 16 years is that code reviews were insufficient, especially from experts who had experiences with TLS\/SSL implementation.\u201dGoogle's Adam Langley wrote, \u201cThe good news is that these attacks need man-in-the-middle position against the victim and that non-OpenSSL clients (IE, Firefox, Chrome on Desktop and iOS, Safari etc) aren't affected. Nonetheless, all OpenSSL users should be updating.\u201dMeanwhile, SANS Internet Storm Center classified two of the six newly patched vulnerabilities as critical, CVE-2014-0224 and CVE-2014-0195, and warned that they \u201cmay lead to arbitrary code execution.\u201dThe latter vulnerability in OpenSSL's implementation of Datagram Transport Layer Security (DTLS) was credit to J\u00fcri Aedla, who "recently made news by successfully compromising Mozilla Firefox during this year\u2019s Pwn2Own contest." HP\u2019s TippingPoint Zero Day Initiative also pointed out:According to the commit logs, Robin Seggelmann introduced this vulnerability into the OpenSSL code base four years ago. Yes, Robin Seggelmann is also responsible for introducing the Heartbleed vulnerability. Two big vulnerabilities introduced by the same developer. Seggelmann is not completely to blame, of course. OpenSSL is an open source project. The \u2018many eyes\u2019 that look at this code failed to catch this bug, but a new breed of individuals are looking at this code\u2026especially at Seggelmann\u2019s code.\u00a0 This code is now known for having vulnerabilities. There is blood in the water.\u00a0 For the individuals auditing his code, the Zero Day Initiative will happily handle the work that goes into disclosing those vulnerabilities and reward you for your efforts.The remaining four flaws patched today could be used for denial-of-service: CVE-2014-0221, CVE-2014-0198, CVE-2010-5298, CVE-2014-3470.