Hi All,

https://www.openssl.org/news/secadv/20220315.txt

TLDR:

It is possible to trigger the infinite loop by crafting a certificate that
has invalid explicit curve parameters.

You are vulnerable to this if you accept certificates from clients.

OpenSSL 1.0.2 is out of support and no longer receiving public updates.
Extended
support is available for premium support customers:
https://www.openssl.org/support/contracts.html

OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind.
It is affected by the issue.

Users of these versions should upgrade to OpenSSL 3.0 or 1.1.1.

All the best,

Ron Teitelbaum
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squeakfoundation.org/pipermail/squeak-dev/attachments/20220317/8e861733/attachment.html>