OpenSSL is planning to update two versions of its software this week, patching a pair of vulnerabilities.
The upgrade, to versions 1.0.2f and 1.0.1r, will fix two security defects when it hits on Thursday. One of those is a high-severity issue affecting 1.0.2 releases, and the other is low-severity affecting all releases.
OpenSSL didn’t give specific details about the issues, but its security policy notes that the “high severity” designation means that the vulnerability is dangerous, but not as dangerous as “critical” vulnerabilities, which are denoted as affecting common configurations, being easy to exploit and open to remote attack.
OpenSSL is a security standard encrypting communications between users and the servers provided by a majority of online services. Because it’s a basic component of a wide swath of the web, affecting various applications and systems, and even embedded devices, any security flaw is an important one to pay attention to. Its sheer ubiquity is one of the reasons why the Heartbleed flaw took months and months to patch even after an update was released.
After the infamous Heartbleed flaw in OpenSSL left a majority of the web open to wholesale information theft, the open-source group has been diligent in its coding reviews and patch updates.
The terse approach to explaining the issues at hand this week is typical—OpenSSL has patched a few of these types of mystery bugs in the last couple of years. It has also issued updates to address general SSL vulnerabilities like last year’s FREAK, which allowed hackers to perform a man in the middle (MITM) attack on traffic passing between Android or Apple devices and potentially millions of websites, by downgrading encryption to a crackable 512-bits.
OpenSSL recently reached end-of-life on versions 0.9.8 and 1.0.0, in December, while versions 1.0.1 and 1.0.2 will receive security support through the end of 2016 and 2019 respectively. Admins should of course update as soon as the patch is released.
Photo © Monster Graphics