At first glance, you might not think that the latest set of OpenSSL security patches are that important. Sure, there's a dozen of them and two are serious, but are they really that bad? Yes, actually they're not just bad, they're awful.
In the case of OpenSSL 1.0.2, the first problem child is "ClientHello sigalgs DoS (CVE-2015-0291)." With this bug a client, while looking as if it were trying to negotiate a Transport Layer Security (TLS) or Secure Sockets Layer (SSL) connection, can actually provoke a NULL pointer result. As anyone who's ever done much programing can guess that NULL pointer can, in turn, be used to knock the target program off the server. Typically this would be used as a Denial of Service (DoS) attack on a Web server.
Give it time. It will be used against servers soon enough.
Several other problems have also been fixed which can lead to DoS attacks. True, it's hard to make such attacks against these secuirty holes, but so what? Crackers love nothing more than to work on difficult problems. To avoid being their latest plaything, no matter what version of OpenSSL you're using, patch it now.
But the FREAK security holes were patched, right? Well, yes, but it turns out that, as the OpenSSL developers put it, while they "originally thought that server RSA export ciphersuite support was rare: A client was only vulnerable to a MITM attack against a server which supports an RSA export ciphersuite. Recent studies have shown that RSA export ciphersuites support is far more common."
Far, far more common, I might add.
In other words, if you're using any of the below, you should upgrade immediately.
The NCC Group and the Linux Foundation's Core Infrastructure Initiative (CII) are all working on improving OpenSSL's security. But as this latest OpenSSL patch points out, FREAK has turned out to be far more than just an OpenSSL problem. Regardless of what web server or operating system you're using, you must make certain your systems are protected against FREAK.
It hasn't gone away. It's still just hiding in old code.