Pierluigi Paganini March 17, 2015

New versions of OpenSSL will be released on Thursday to patch critical security vulnerabilities, one of which is considered very dangerous.

The OpenSSL Project Team announced in an advisory published on Monday that new versions of OpenSSL will be released on Thursday to patch several security vulnerabilities. The disconcerting news is that at least one of them is considered highly serious, according to the OpenSSL Project Team.

OpenSSL member Matt Caswell reported the existence of the vulnerability in a mailing list note.

“The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf.  These releases will be made available on 19th March. They will fix a number of security defects. The highest severity defect fixed by these releases is classified as “high” severity. ” states the advisory

According to the advisory, the updates will be included in the OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf.

The public advisory did not provide details of the vulnerabilities that will be fixed to avoid that hackers in the wild could exploit them.

In 2014, the security experts discovered numerous flaws in the OpenSSL library which is widely used as the implementation of the SSL and TLS protocols. The most popular is the Heartbleed flaw that was discovered in April 2014, which could be exploited by attackers to steal memory content from a vulnerable server, potentially exposing sensitive data like login credentials and cryptographic keys.

Another vulnerability recently discovered, FREAK, affects the software threatening the security of encrypted connections.

In response to the security issues emerged with the encryption libraries, major vendors are funding the Core Infrastructure Initiative, a multi-million dollar project housed at The Linux Foundation “to fund open source projects that are in the critical path for core computing functions“.

Pierluigi Paganini

(Security Affairs –  OpenSSL, security)