The OpenSSL Project announced today that it will release versions 1.0.2g and 1.0.1s to patch several vulnerabilities, including ones rated “high severity.”
The updates are scheduled for release on March 1 between 1pm and 5pm UTC, OpenSSL developers informed users.
High severity issues are considered less important compared to critical vulnerabilities because usually they affect less common configurations or are less likely to be exploitable. Flaws rated as having high severity are kept private until a patch is released, usually within a month after the bug is reported.
Last month, the OpenSSL Project released version 1.0.2f to patch a high severity flaw that allows attackers to obtain information that can be leveraged to decrypt secure traffic (CVE-2016-0701).
The problem is related to the generation of X9.42 style parameter files as required in RFC 5114. Experts discovered that the primes in these files may not be safe, allowing attackers to obtain the key needed to decrypt traffic if the targeted application uses the Diffie-Hellman (DH) key exchange and is configured with parameters based on unsafe primes.
OpenSSL 1.0.1 was also updated in January to patch a low severity SSLv2 cipher issue and update the previous fix for the Logjam vulnerability.
The OpenSSL Project has once again reminded users that support for version 1.0.1 will end on December 31, 2016. Support for the 1.0.0 and 0.9.8 releases ended on December 31, 2015.
Related: Remote Code Execution Flaw Patched in glibc Library
Related: OpenSSH Patches Serious Information Disclosure Flaw

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Vulnerabilities in Honda eCommerce Platform Exposed Customer, Dealer Data
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Google Patches Third Chrome Zero-Day of 2023
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Verizon 2023 DBIR: Human Error Involved in Many Breaches, Ransomware Cost Surges
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
Latest News
- Consolidate Vendors and Products for Better Security
- Pharmaceutical Giant Eisai Takes Systems Offline Following Ransomware Attack
- Vulnerabilities in Honda eCommerce Platform Exposed Customer, Dealer Data
- North Korean Hackers Blamed for $35 Million Atomic Wallet Crypto Theft
- Cisco Patches Critical Vulnerability in Enterprise Collaboration Solutions
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- BBC, British Airways, Novia Scotia Among First Big-Name Victims in Global Supply-Chain Hack
