OpenSSL announced fix for mystery high critical vulnerability

New versions of OpenSSL will be released on Thursday to patch critical security vulnerabilities, one of which is considered very dangerous.

The OpenSSL Project Team announced in an advisory published on Monday that new versions of OpenSSL will be released on Thursday to patch several security vulnerabilities. The disconcerting news is that at least one of them is considered highly serious, according to the OpenSSL Project Team.

OpenSSL member Matt Caswell reported the existence of the vulnerability in a mailing list note.

“The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf. These releases will be made available on 19th March. They will fix a number of security defects. The highest severity defect fixed by these releases is classified as “high” severity. ” states the advisory

According to the advisory, the updates will be included in the OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf.

The public advisory did not provide details of the vulnerabilities that will be fixed to avoid that hackers in the wild could exploit them.

In 2014, the security experts discovered numerous flaws in the OpenSSL library which is widely used as the implementation of the SSL and TLS protocols. The most popular is the Heartbleed flaw that was discovered in April 2014, which could be exploited by attackers to steal memory content from a vulnerable server, potentially exposing sensitive data like login credentials and cryptographic keys.

Another vulnerability recently discovered, FREAK, affects the software threatening the security of encrypted connections.

In response to the security issues emerged with the encryption libraries, major vendors are funding the Core Infrastructure Initiative, a multi-million dollar project housed at The Linux Foundation “to fund open source projects that are in the critical path for core computing functions“.

Pierluigi Paganini

(Security Affairs – OpenSSL, security)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.