OpenSSL has had several advisories this month — buffer overflows in the ASN.1 parsing code, issues in specific cipher implementations, and a few smaller ones. The cumulative impact is meaningful.
Why this matters
OpenSSL is the cryptographic library underneath essentially every TLS-using service. Apache mod_ssl, OpenSSH, various VPN products — all depend on it. A vulnerability in OpenSSL is, structurally, a vulnerability in the entire dependent ecosystem.
The ASN.1 bug specifically is exploitable in TLS handshakes. Any TLS-enabled service is vulnerable until OpenSSL is patched and dependent services are restarted.
What operators should do
Update OpenSSL. Distributions are shipping patches; apply them.
Restart all services that link OpenSSL. Apache, sshd, mail servers with TLS, anything that uses cryptography. The services need to be restarted to load the patched library.
Audit dependencies. Most operators do not have a clear inventory of what depends on OpenSSL. The discipline of building one is worth establishing.
A small reflection
Library-level vulnerabilities are structurally different from application-level ones. The blast radius is wider; the patching workflow is more complex; the testing is harder. The discipline of treating dependencies as part of the security inventory is, on the available evidence, undervalued.
More as the situation develops.