The OpenSSL team is releasing a patch this Thursday to close up a “severe” Heartbleed-like bug, although the extent and specifics of the vulnerability are not entirely known (emphasis added):
It’s not yet known what exactly the vulnerability is: that would give the game away to attackers hoping to exploit the hole before the patch is released to the public. According to the OpenSSL team, a “high severity” bug includes…
“issues affecting common configurations which are also likely to be exploitable. Examples include a server denial-of-service, a significant leak of server memory, and remote code execution. These issues will be kept private and will trigger a new release of all supported versions. We will attempt to keep the time these issues are private to a minimum; our aim would be no longer than a month where this is something under our control, and significantly quicker if there is a significant risk or we are aware the issue is being exploited.”
So this week’s bug could be anything from a denial-of-service (allowing an attacker to crash an online service) to a Heartbleed-style memory leak to a remote-code execution hole (allowing a miscreant to run malicious code on a vulnerable system).
Make sure you patch those workstations and servers running openssl to be assured this attack vector is shutdown.