The new OpenSSL patches also address eight moderate-severity flaws, some of which can also be used for denial-of-service attacks under certain conditions, as well as three low severity issues.
Because its announcement of an upcoming high severity vulnerability generated confusion, the project might change the way in which it classifies flaws.
"We need another security classification; HIGH scared everyone needlessly," said Rich Salz, an OpenSSL Project member on Twitter. "We'll update the policy soon."
There have been previous instances of critical flaws in OpenSSL, so by now CISOs and IT security teams should have a refined process in place for dealing with them, said Cris Thomas, strategist at Tenable Network Security, via email. "It should be a simple matter of following the procedures you developed based on the previous instances."
Sign up for CIO Asia eNewsletters.