steven36 Posted January 25, 2016 Share Posted January 25, 2016 OpenSSL is scheduled to update two versions of the software this week, patching a pair of vulnerabilities in the process. The OpenSSL project this morning said the updates will move users to versions 1.0.2f and 1.0.1r and should be available Thursday between 8 a.m. and noon Eastern time. Related Posts FreeBSD Patches Kernel Panic Vulnerability January 25, 2016 , 12:13 pm Serious Linux Kernel Vulnerability Patched January 19, 2016 , 7:47 am OpenSSH Patches Critical Flaw That Could Leak Private Crypto Keys January 14, 2016 , 2:33 pm “They will fix two security defects, one of ‘high’ severity affecting 1.0.2 releases, and one ‘low’ severity affecting all releases,” OpenSSL said in its advisory. According to the OpenSSL security policy, published in late 2014, high severity vulnerabilities trigger new releases, but are less severe than critical bugs. Vulnerabilities are ranked high severity if they’re happening in less common configurations, OpenSSL said. Critical vulnerabilities, for example, affect common configurations and are much easier to exploit, can be attacked remotely, and will leak memory such as private crypto keys. No specific details about the flaws are available. OpenSSL was last patched in December when four flaws were fixed in 0.9.8 and 1.0.0, the final security patches for both versions. Versions 1.0.1 and 1.0.2 will receive security support through the end of 2016 and 2019 respectively. OpenSSL is one of the more widely deployed cryptographic libraries, living in not only homespun applications, but also in commercial software products. Since the discovery of the Heartbleed vulnerability in the spring of 2014, OpenSSL has made massive leaps in cleaning up its code and processes. Shortly after Heartbleed, funding was funneled in OpenSSL’s direction by the Core Infrastructure Initiative, giving it enough resources to hire its first full-time employees and develop a road map for overhauling critical areas of the code, including the TLS state machine. See more at: OpenSSL to Patch Two Vulnerabilities This Week https://mta.openssl.org/pipermail/openssl-announce/2016-January/000058.html The Source Link to comment Share on other sites More sharing options...
vibranium Posted January 26, 2016 Share Posted January 26, 2016 OpenSSL is still plagued by woes, and will be for a couple of years. It is mind boggling. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.