A new version of OpenSSL, the open-source software widely used to encrypt internet communications using SSL/TLS, is due to be released this Thursday 9th July, patching a single “high severity” vulnerability.
But if you’re hoping I can shed some light on what the vulnerability is, I’m sorry. I can’t help.
In a mailing list posting, developer Mark J Cox announced the new version of the code in the briefest fashion possible:
The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2d and 1.0.1p.
These releases will be made available on 9th July. They will fix a single security defect classified as “high” severity. This defect does not affect the 1.0.0 or 0.9.8 releases.
Most infamously, OpenSSL was struck by the Heartbleed bug last year, that (amongst other things) threatened up to 50 million Android devices and helped malicious hackers to steal passwords. Oh, and it also had a neat logo.
Fingers crossed, this new vulnerability in OpenSSL won’t be anything like as serious as Heartbleed – but the grading of it as “high severity” means that it could open the door to various threats: ranging from fairly tame denial-of-service attacks to rather unpleasant remote code execution.
Don’t be too upset that the OpenSSL project is keeping details of the vulnerability under its hat for now. No doubt they will be concerned that any information they share in advance could be exploited in live hacks by malicious hackers.
Being careful about vulnerability disclosure is particularly important when the software is so widely used, and understood to be an essential component required in securing internet transactions.
Nobody enjoys thinking about the risks associated with having a security bug in essential code used by so many internet services – especially before a special patch is ready for mainstream use.
But at least you can be reassured that patches are on their way, and that the OpenSSL team is not resting on its laurels.
So, listen up system administrators and developers. When the update fixing the OpenSSL vulnerability does arrive sometime on Thursday, be sure to patch as soon as possible. You owe it to your own security, but also in order to properly protect the security of your partners and customers.
Further reading:
Bother.
Or bugger.
There have been far too many CVEs for openssl in recent months:
$ rpm -q –changelog openssl |egrep -c CVE-201[45]
42
(an amusing number except perhaps here, given the context)
$ rpm -q –changelog openssl |egrep -c CVE-2015
20
$ rpm -q –changelog openssl |egrep -c CVE-20[01][0-9]
68
Far too many in the past 1.51 years, when you consider 68 total for the past 15 years. Scary when you consider the importance of it (there are also fixes to fixes as well as partial fixes, above, but I don't see counting those as a problem here).
Let's try that again, to get around the way dashes are handled…
rpm -q --changelog openssl |egrep -c CVE-201[45]
rpm -q --changelog openssl |egrep -c CVE-2015
rpm -q --changelog openssl |egrep -c CVE-20[01][0-9]
"Most infamously, OpenSSL was struck by the Heartbleed bug earlier this year"
Heartbleed was last year although I admit it doesn't feel that long ago ;)
Whoops. Well spotted.
Doesn't time fly by when you're patching OpenSSL?
Thanks for letting me know of my goof. Now fixed.