The Hacker News Logo
Subscribe to Newsletter

OpenSSL to Patch Undisclosed High Severity Vulnerability this Thursday

OpenSSL-Vulnerability
Attention Please! System Administrator and anyone relying on OpenSSL should be prepared to switch to a new version of the open-source crypto library that will be released this Thursday 9th July.

OpenSSL is a widely used open-source software library that provides encrypted Internet connections using SSL/TLS for majority of websites, as well as other secure services.

The new versions of OpenSSL crypto library, versions 1.0.2d and 1.0.1p, address a single security vulnerability classified as "high severity," the OpenSSL Project Team announced on Monday.

There isn't more details about the mystery security vulnerability available yet, except for the fact that the security vulnerability doesn't affect the 1.0.0 or 0.9.8 series.
"The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2d and 1.0.1p," developer Mark J Cox announced in a mailing list note published yesterday.
"These releases will be made available on 9th July. They will fix a single security defect classified as 'high' severity. This defect does not affect the 1.0.0 or 0.9.8 releases."
The announcement of the new variants of OpenSSL was made in the concisest fashion possible to prevent cyber attackers from exploiting the hole before the fix is released to the public.

Some security experts have speculated that this high severity bug could be another Heartbleed or POODLE bug that were considered to be the worst TLS/SSL vulnerabilities still believed to be affecting websites on Internet today.

Heartbleed, discovered in April last year, was a bug in an earlier version of OpenSSL that allowed hackers to read sensitive contents of victims' encrypted data, including credit card details and even steal crypto SSL keys from Internet servers or client software.

Months later, another critical flaw known as POODLE -- Padding Oracle On Downgraded Legacy Encryption -- was unearthed in the decade old but widely used SSL 3.0 cryptographic protocol that allowed attackers to decrypt the contents of encrypted connections.

However, a bunch of high severity vulnerabilities were fixed in March this year, which included denial-of-service (DoS) flaw (CVE-2015-0291) that allowed attackers to crash online services, and FREAK (CVE-2015-0204) that allowed attackers to force clients to use weaker encryption.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.