OpenSSL Set For High Severity Security Fix

The team behind OpenSSL is set to release several fixes for the open source software later this week including one which will patch a high severity issue.

A post by Matt Caswell of the OpenSSL Project Team did not go much further than to announce OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf.

He added:

“These releases will be made available on 19th March. They will fix a number of security defects. The highest severity defect fixed by these releases is classified as ‘high’ severity.”

Given the popularity of the open source implementation of the SSL and TLS security protocols, admins will be nervously awaiting more details on the high severity problem that needs fixing.

They’ll be hoping it’s nothing as bad as the infamous Heartbleed bug discovered last April.

That vulnerability allowed attackers to steal encryption keys from internet servers or client software using OpenSSL and decrypt the data flowing between them.

In June the same year a serious man-in-the-middle (MITM) vulnerability was discovered and fixed by the OpenSSL Project Team and then in October it was forced to patch the much-publicized POODLE flaw.

This worked by allowing attackers to force a “fallback” to the use of SSL 3.0 and then steal session cookies that could give them access to a victim’s online accounts.

This year has been relatively quiet on the security front thus far, although eight new flaws were patched in January.

Last Monday a group of security consultants announced a comprehensive independent audit of OpenSSL in a bid to improve its security and stability.

The move followed a code reformat earlier this year designed to remove its worst idiosyncrasies and make OpenSSL “easier to work with in the future,” according to Caswell.

Such is the importance of OpenSSL to the security of the web that major vendors like Adobe, Cisco, IBM and Amazon Web Services have backed the Linux Foundation’s multi-million dollar Core Infrastructure Initiative.

The aim is to fund key projects, like the OpenSSL audit, that are “in the critical path for core computing functions.”

What’s Hot on Infosecurity Magazine?