The OpenSSL Project has informed users that an upcoming update will patch a critical vulnerability in the open source cryptography and secure communication toolkit.
OpenSSL version 3.0.7 is scheduled for Tuesday, November 1, between 13:00 and 17:00 UTC. No details have been provided, but it has been described as a ‘security-fix release’ that will include a patch for a vulnerability rated ‘critical’.
The issue does not appear to impact OpenSSL versions prior to 3.0.
This is the first critical vulnerability patched in OpenSSL since September 2016, and only the second flaw to be officially assigned a ‘critical’ severity rating.
[ READ: Evolution of OpenSSL Security After Heartbleed ]
In addition to the 3.0.7 release, the OpenSSL Project is also preparing version 1.1.1s, which is a bug fix release scheduled for the same day.
The OpenSSL Project started assigning severity ratings to vulnerabilities in 2014, when the notorious Heartbleed vulnerability came to light. Since the disclosure of Heartbleed, OpenSSL security has evolved significantly.
Roughly a dozen high-severity issues were discovered between 2014 and 2017. Then, no other high-severity vulnerabilities were identified until 2020, when two bugs were assigned this rating. Three high-severity issues were found in 2021 and two in 2022.
Related: Three New Vulnerabilities Patched in OpenSSL
Related: OpenSSL Vulnerability Can Be Exploited to Change Application Data
Related: High-Severity DoS Vulnerability Patched in OpenSSL
Related: OpenSSL Patches Remote Code Execution Vulnerability