Security Experts:

OpenSSL Preparing Patches for High Severity Flaws

The OpenSSL Project announced today that it will release versions 1.0.2g and 1.0.1s to patch several vulnerabilities, including ones rated “high severity.”

The updates are scheduled for release on March 1 between 1pm and 5pm UTC, OpenSSL developers informed users.

High severity issues are considered less important compared to critical vulnerabilities because usually they affect less common configurations or are less likely to be exploitable. Flaws rated as having high severity are kept private until a patch is released, usually within a month after the bug is reported.

Last month, the OpenSSL Project released version 1.0.2f to patch a high severity flaw that allows attackers to obtain information that can be leveraged to decrypt secure traffic (CVE-2016-0701).

The problem is related to the generation of X9.42 style parameter files as required in RFC 5114. Experts discovered that the primes in these files may not be safe, allowing attackers to obtain the key needed to decrypt traffic if the targeted application uses the Diffie-Hellman (DH) key exchange and is configured with parameters based on unsafe primes.

OpenSSL 1.0.1 was also updated in January to patch a low severity SSLv2 cipher issue and update the previous fix for the Logjam vulnerability.

The OpenSSL Project has once again reminded users that support for version 1.0.1 will end on December 31, 2016. Support for the 1.0.0 and 0.9.8 releases ended on December 31, 2015.

Related: Remote Code Execution Flaw Patched in glibc Library

Related: OpenSSH Patches Serious Information Disclosure Flaw

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.