Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

OpenSSL Preparing Updates to Patch High Severity Vulnerability

OpenSSL versions 1.0.2d and 1.0.1p will be released later this week to address a serious security bug, the OpenSSL Project Team announced on Monday.

According to the developers of the popular open-source toolkit for SSL/TLS, OpenSSL 1.0.2d and 1.0.1p will be released on Thursday, July 9, and they will fix a single high severity vulnerability.

OpenSSL versions 1.0.2d and 1.0.1p will be released later this week to address a serious security bug, the OpenSSL Project Team announced on Monday.

According to the developers of the popular open-source toolkit for SSL/TLS, OpenSSL 1.0.2d and 1.0.1p will be released on Thursday, July 9, and they will fix a single high severity vulnerability.

No other details have been made available, except for the fact that the security hole does not affect the 1.0.0 or 0.9.8 releases.

The announcement comes less than a month after OpenSSL versions 1.0.2b, 1.0.1n, 1.0.0s and 0.9.8zg were released to address several moderate and low severity bugs, most of which can be exploited for denial-of-service (DoS) attacks.

The latest versions also patch Logjam (CVE-2015-4000), a TLS bug that can be exploited through man-in-the-middle (MitM) attacks to downgrade connections to 512-bit export-grade cryptography. The vulnerability allows an attacker to read and alter encrypted data.

Researchers often uncover vulnerabilities in OpenSSL. The most widely publicized of them was Heartbleed, a bug that exposed millions of websites to cyberattacks.

Heartbleed represented a wakeup call for the industry and many major organizations pledged support for OpenSSL through the Linux Foundation’s Core Infrastructure Initiative after the existence of the bug came to light.

However, the more than 500,000 lines of code make it difficult to maintain and review OpenSSL, which is why some organizations have started suggesting alternatives.

Advertisement. Scroll to continue reading.

Amazon announced last week the availability of s2n, a new open source implementation of TLS that consists of only 6,000 lines of code. While it cannot replace OpenSSL completely because it doesn’t provide a general purpose cryptography library, Amazon’s implementation of TLS might make its way to some popular services. Amazon says it will integrate s2n into several of its AWS services over the coming months.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cyber exposure management firm Armis has promoted Alex Mosher to President.

Software giant Atlassian has named David Cross as its new CISO.

Dan Pagel has been named the new CEO of risk management and remediation firm Brinqa.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.