More like this

Security

Awoogah: Get ready to patch 'severe' bug in OpenSSL this Thursday

Heads up for July 9 security vulnerability fix

Sysadmins and anyone else with systems running OpenSSL code: a new version of the open-source crypto library will be released this week to "fix a single security defect classified as 'high' severity."

The bug, we're told, will be addressed in versions 1.0.2d and 1.0.1p of the software. The vulnerability does not affect the 1.0.0 or 0.9.8 series. OpenSSL is a widely used library that provides encrypted HTTPS connections for countless websites, as well as other secure services.

"The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2d and 1.0.1p," wrote developer Mark Cox in an email today.

"These releases will be made available on 9th July. They will fix a single security defect classified as 'high' severity. This defect does not affect the 1.0.0 or 0.9.8 releases."

It's not yet known what exactly the vulnerability is: that would give the game away to attackers hoping to exploit the hole before the patch is released to the public. According to the OpenSSL team, a "high severity" bug includes...

issues affecting common configurations which are also likely to be exploitable. Examples include a server denial-of-service, a significant leak of server memory, and remote code execution. These issues will be kept private and will trigger a new release of all supported versions. We will attempt to keep the time these issues are private to a minimum; our aim would be no longer than a month where this is something under our control, and significantly quicker if there is a significant risk or we are aware the issue is being exploited.

So this week's bug could be anything from a denial-of-service (allowing an attacker to crash an online service) to a Heartbleed-style memory leak to a remote-code execution hole (allowing a miscreant to run malicious code on a vulnerable system).

The most recent high severity bugs were fixed in March: they were a denial-of-service vulnerability (CVE-2015-0291), and a bug that allowed the strength of crypto keys to be weakened (CVE-2015-0204). ®

Sponsored: 2016 Cyberthreat defense report