Dear all,
Today (March 15, 2022), OpenSSL project has reported a vulnerability in one of its core computation algorithms that mainly affects reading elliptic curves certificates. Some specially crafted certificates and/or private keys based on elliptic curves can send OpenSSL (and its calling process) in an infinite loop:
https://www.openssl.org/news/openssl-1.1.1-notes.html
As you know Abyss Web Server uses OpenSSL to handle parts of its TLS/SSL support. Hopefully this particular vulnerability is very unlikely to affect it: Contrarily to Web browsers, Abyss Web Server does not validate external certificates as part of its normal operation. It also does not accept client certificates.
Maliciously crafted certificates that could trigger this bug have almost no chance to be encountered by a Web server.
Despite this low risk, we are going to release in the very near future a version which includes a fixed OpenSSL version.