Month: May 2016
OpenSSL project had announced on Thursday (April 28) upcoming security fixes for several vulnerabilities affecting the crypto library.
Every OpenSSL release since the infamous Heartbleed vulnerability1 of April 2014 has been met with nervous anticipation, and that applies as much to the upcoming 1.0.2h, 1.0.1t which will be released on May 3 between 12:00 and 15:00 UTC. These releases will patch several flaws, including ones rated ‘high severity’.
Issues that have a high severity rating affect less common configurations or are less likely to be exploitable. The forthcoming releases are due to be out by next Tuesday. They are not accompanied by any logo or a catchy title.
OpenSSL versions 1.0.0 and 0.9.8 are no longer supported and they will not receive any security updates. Support for version 1.0.1 will end on December 31, 2016.
These updates will be the third round in a year. In January, the project released versions 1.0.2f and 1.0.1r to address a high severity flaw that allows attackers to obtain information that can be used to decrypt secure traffic, and a low severity SSLv2 cipher issue.
The last major flare-up on this front coincided with the DROWN vulnerability, which emerged last month in March. DROWN is a serious flaw that can be exploited to crack encrypted communications. DROWN affected a quarter of the top one million HTTPS domains and one-third of all HTTPS websites at the time of disclosure.