In Win32/64 binary releases there are vulnerable OpenSSL DLL files. All users ar encouraged to upgrade to the latest version.
In-depth
From Secunia's advisory at http://secunia.com/advisories/37291/:
---
Description:
A vulnerability has been reported in OpenSSL, which can be exploited by malicious people to manipulate certain data.
The vulnerability is caused due to an error in the TLS protocol while handling session re-negotiations. This can be exploited to insert arbitrary plaintext before data sent by a legitimate client in an existing TLS session via Man-in-the-Middle (MitM) attacks.
Successful exploitation may allow e.g. sending an arbitrary HTTP request under an authenticated context if certificate-based authentication is used by the server.
OpenSSL project released library version 0.9.8l, which is including fixes in CVS repository, at http://cvs.openssl.org/chngview?cn=18790. VooDoo cIRCle version 1.1.38 binary distribution for Windows systems includes builds of OpenSSL version 0.9.8l, thus are not affected by this vulnerability.
All versions prior to 1.1.38 are affected by this security vulnerability. VooDoo cIRCle 1.1.38 binary relases for Win32/64 are not affected by this security vulnerability. Versions using older OpenSSL library, though on any platform, or custom builds, might be vulnerable, that is, both all oficially binary-distributed versions of VooDoo cIRCle prior to 1.1.38, and those linked against vulnerable OpenSSL library are affected by this vulnerability.
Special note
OpenSSL library version 0.9.8l protexts only secure listening server sockets. However, VooDoo cIRCle can act as a client as well, and library leaves secure client sockets uprotected.
See http://openssl.org/news/secadv_20091111.txt for more informations.
Thanks to Stefan Cornelius, Security Specialist at http://secunia.com/ for notifying me regarding this problem.
Workaround
There is no known workaround at this time.
Solution
Update to the latest version, VooDoo cIRCle 1.1.38, which is not vulnerable.
All Windows users using binary builds are strongly encouraged to download the latest version of VooDoo cIRCle.
Time line
2009-11-06 - Received notification about OpenSSL vulnerability from http://secunia.com/.
2009-11-12 - Release of VooDoo cIRCle 1.1.38, public disclosure - this advisory.