Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

OpenSSL Preparing Updates to Patch High Severity Vulnerability

OpenSSL versions 1.0.2d and 1.0.1p will be released later this week to address a serious security bug, the OpenSSL Project Team announced on Monday.

According to the developers of the popular open-source toolkit for SSL/TLS, OpenSSL 1.0.2d and 1.0.1p will be released on Thursday, July 9, and they will fix a single high severity vulnerability.

OpenSSL versions 1.0.2d and 1.0.1p will be released later this week to address a serious security bug, the OpenSSL Project Team announced on Monday.

According to the developers of the popular open-source toolkit for SSL/TLS, OpenSSL 1.0.2d and 1.0.1p will be released on Thursday, July 9, and they will fix a single high severity vulnerability.

No other details have been made available, except for the fact that the security hole does not affect the 1.0.0 or 0.9.8 releases.

The announcement comes less than a month after OpenSSL versions 1.0.2b, 1.0.1n, 1.0.0s and 0.9.8zg were released to address several moderate and low severity bugs, most of which can be exploited for denial-of-service (DoS) attacks.

The latest versions also patch Logjam (CVE-2015-4000), a TLS bug that can be exploited through man-in-the-middle (MitM) attacks to downgrade connections to 512-bit export-grade cryptography. The vulnerability allows an attacker to read and alter encrypted data.

Researchers often uncover vulnerabilities in OpenSSL. The most widely publicized of them was Heartbleed, a bug that exposed millions of websites to cyberattacks.

Advertisement. Scroll to continue reading.

Heartbleed represented a wakeup call for the industry and many major organizations pledged support for OpenSSL through the Linux Foundation’s Core Infrastructure Initiative after the existence of the bug came to light.

However, the more than 500,000 lines of code make it difficult to maintain and review OpenSSL, which is why some organizations have started suggesting alternatives.

Amazon announced last week the availability of s2n, a new open source implementation of TLS that consists of only 6,000 lines of code. While it cannot replace OpenSSL completely because it doesn’t provide a general purpose cryptography library, Amazon’s implementation of TLS might make its way to some popular services. Amazon says it will integrate s2n into several of its AWS services over the coming months.

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.