Get ready. Mystery high severity bug in OpenSSL to be patched on Thursday

OpenSSLA new version of OpenSSL, the open-source software widely used to encrypt internet communications using SSL/TLS, is due to be released this Thursday 9th July, patching a single “high severity” vulnerability.

But if you’re hoping I can shed some light on what the vulnerability is, I’m sorry. I can’t help.

In a mailing list posting, developer Mark J Cox announced the new version of the code in the briefest fashion possible:

OpenSSL announcement

Sign up to our free newsletter.
Security news, advice, and tips.

The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2d and 1.0.1p.

These releases will be made available on 9th July. They will fix a single security defect classified as “high” severity. This defect does not affect the 1.0.0 or 0.9.8 releases.

HeartbleedMost infamously, OpenSSL was struck by the Heartbleed bug last year, that (amongst other things) threatened up to 50 million Android devices and helped malicious hackers to steal passwords. Oh, and it also had a neat logo.

Fingers crossed, this new vulnerability in OpenSSL won’t be anything like as serious as Heartbleed – but the grading of it as “high severity” means that it could open the door to various threats: ranging from fairly tame denial-of-service attacks to rather unpleasant remote code execution.

Don’t be too upset that the OpenSSL project is keeping details of the vulnerability under its hat for now. No doubt they will be concerned that any information they share in advance could be exploited in live hacks by malicious hackers.

Being careful about vulnerability disclosure is particularly important when the software is so widely used, and understood to be an essential component required in securing internet transactions.

Nobody enjoys thinking about the risks associated with having a security bug in essential code used by so many internet services – especially before a special patch is ready for mainstream use.

But at least you can be reassured that patches are on their way, and that the OpenSSL team is not resting on its laurels.

So, listen up system administrators and developers. When the update fixing the OpenSSL vulnerability does arrive sometime on Thursday, be sure to patch as soon as possible. You owe it to your own security, but also in order to properly protect the security of your partners and customers.

Further reading:

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

5 comments on “Get ready. Mystery high severity bug in OpenSSL to be patched on Thursday”

    1. Coyote · in reply to drsolly

      Or bugger.

      There have been far too many CVEs for openssl in recent months:

      $ rpm -q –changelog openssl |egrep -c CVE-201[45]
      (an amusing number except perhaps here, given the context)
      $ rpm -q –changelog openssl |egrep -c CVE-2015
      $ rpm -q –changelog openssl |egrep -c CVE-20[01][0-9]

      Far too many in the past 1.51 years, when you consider 68 total for the past 15 years. Scary when you consider the importance of it (there are also fixes to fixes as well as partial fixes, above, but I don't see counting those as a problem here).

      1. Coyote · in reply to Coyote

        Let's try that again, to get around the way dashes are handled…

        rpm -q --changelog openssl |egrep -c CVE-201[45]
        rpm -q --changelog openssl |egrep -c CVE-2015
        rpm -q --changelog openssl |egrep -c CVE-20[01][0-9]

  1. Simon

    "Most infamously, OpenSSL was struck by the Heartbleed bug earlier this year"

    Heartbleed was last year although I admit it doesn't feel that long ago ;)

    1. Graham CluleyGraham Cluley · in reply to Simon

      Whoops. Well spotted.

      Doesn't time fly by when you're patching OpenSSL?

      Thanks for letting me know of my goof. Now fixed.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.