In an advisory issued on Thursday US time, the project said the issue had been reported by Akamai's Benjamin Kaduk and was found by Xiang Ding of the same firm.
The vulnerability was a CA certificate check bypass with X509_V_FLAG_X509_STRICT flag. This was because of an error in the implementation of an additional check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters.
Red Hat's Tomáš Mráz created a fix for this vulnerability.
Of this, the project said: "An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client.
"If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension, then a NULL pointer dereference will result, leading to a crash and a denial of service attack.
"A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration)."
Two Linux distributions, Debian and Ubuntu, have already issued patches for the two vulnerabilities.
OpenSSL is a cryptographic library that enables SSL (Secure Sockets Layer) or TLS (Transport Security Layer) encryption. It is used in applications that need secure communications to avoid eavesdropping or to make sure of the identity of the party at the other end.
The last high-severity bug in OpenSSL was announced in 2017.
In 2014, OpenSSL was badly hit by a bug that came to be known as Heartbleed. Despite patches being released, there were still a sizeable number of systems that could be exploited using the vulnerability three years later.
Following the Heartbleed episode, Theo de Raadt, leader of the OpenBSD project, announced that his project would clean up the code of OpenSSL and release it as LibreSSL, with the first version being released in July 2014.
Contacted for comment, de Raadt said: "LibreSSL does not contain the bug, because it doesn't contain that code."
Senior Debian developer Russell Coker, who has also contributed code to the NSA's SE Linux module, said: "It seems like the OpenBSD people are doing good work, we all should be considering using their fork.: