A new version of OpenSSL, the open-source software widely used to encrypt internet communications using SSL/TLS, is due to be released this Tuesday 1 March, fixing a number of security defects rated as “high severity.”
If you want to know the specifics of what the vulnerabilities are then, tough. I can’t help. The OpenSSL project team are playing their cards close to their chest.
In a online post, developer Mark J Cox made the brief announcement about the upcoming release of OpenSSL versions 1.0.2g and 1.0.1s.
The advisory went on to underline that anyone using OpenSSL should really be upgrading to the 1.0.2 version, as 1.0.1 will only be receiving security updates until the end of this year.
The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2g, 1.0.1s.
These releases will be made available on 1st March 2016 between approximately 1300-1700 UTC. They will fix several security defects with maximum severity “high”.
Please see the following page for further details of severity levels: https://www.openssl.org/policies/secpolicy.html
Please also note that, as per our previous announcements, support for 1.0.1 will end on 31st December 2016.
OpenSSL hasn’t been having the best of times of late. Last month it told users to upgrade in order to fix vulnerabilities with its cryptography, and days later it was slagged off in a German government code review.
None of which is as bad as the pickle OpenSSL found itself in 2014, when the notorious Heartbleed bug gave hackers a way to steal secret SSL keys, and spy upon the contents of supposedly “secure” communications, such as your credit card details when shared with an online store via HTTPS.
In the wake of Heartbleed, LibreSSL was proposed as a replacement for OpenSSL, and has gained fans because of the comparative clarity of its code, and that it has cut out a lot of the cruft which has plagued OpenSSL. But it would be true to say that LibreSSL has also suffered from its own fair share of vulnerability reports.
There is no indication that the new vulnerabilities will be anything like as serious as Heartbleed. For one thing, a flaw of that severity would almost certainly have merited a “critical” rating rather than “high”, but they should still be taken seriously, and addressed promptly.