Patches due to land on March 1
Developers behind the widely used OpenSSL encryption library have warned that they will issue fixes for a mix of bugs next Tuesday (1 March).
The patches will land right in the middle of the RSA Conference, infosec marketing’s version of the Superbowl.
It’s understood the bugs are significant (as in, patch as soon as you can) rather than devastating (drop everything, patch this instant). OpenSSL’s pre-release advisory alone (extract below) provides few clues to what’s coming, other than it rating the worst of the bugs due to be squashed as high severity.
The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2g, 1.0.1s.
These releases will be made available on 1st March 2016 between approximately 1300-1700 UTC.
They will fix several security defects with maximum severity “high.”
Some estimates suggest that up to two-thirds of all web servers use OpenSSL, so the technology is hugely significant to the smooth running of the internet.
Security watchers pay very close attention to Open SSL vulnerabilities, particularly since the infamous Heartbleed attack of April 2014.
The Heartbleed bug meant attackers could read the memory of the systems protected by the vulnerable versions of OpenSSL software.
Anything in memory – SSL private keys, user keys, and more – was left vulnerable as a result.
There have been a few security flaps involving OpenSSL, but nothing even remotely as bad.
The latest flaw is more than likely to be significant rather than devastating, according to crypto security experts.
“From what I’ve heard, the flaw is interesting (there’s nice new research behind it) and has significant real-life impact,” according to Ivan Ristic, director of engineering at cloud security firm Qualys, and author of Bulletproof SSL and TLS.
Earlier this month a security audit and code review on OpenSSL by Sirrix AG (and sponsored by the BSI, the German Federal Office for Information Security) returned multiple problems in the software. ®
Sponsored: Building secure multi-factor authentication