A serious vulnerability was discovered in OpenSSL in the New Year.
Although the conditions in which it is likely to occur are unusual, when it does occur the vulnerability is severe: it results in the re-use of components in TLS, which could make it easy for an attacker, under the right conditions, to decrypt encrypted communications (SSL, HTTPS, etc.). Full details are given here. Additional information is on Antonio Sanso’s blog; he discovered the vulnerability.
If you are unsure which version of OpenSSL is running on your Mac, open Terminal, and type the command
to find out. Versions of 1.0.2 prior to 1.0.2f are believed to be vulnerable.
Currently, El Capitan (10.11.3) uses version 1.0.2d, which could be vulnerable if the conditions are met. Apple is expected to release a fix for this soon; depending on its assessment of the likelihood of the conditions being met, this might be pushed out as an urgent patch.
Thanks to Ars Technica for alerting us to this issue.