OpenSSL Releases Patch This Week For High-Risk Vulnerability
The project team behind OpenSSL is patching two vulnerabilities this week, including one in the “high” category in terms of vulnerability severity. This is a level below ‘critical’. It is not yet clear which vulnerabilities are involved.
The versions that should fix the vulnerabilities are 1.0.2f and 1.0.1r, which will be available on Thursday. No additional details are known, only that it concerns two vulnerabilities with the assessment ‘high’ and ‘low’. OpenSSL uses four levels to estimate the severity of a vulnerability, with ‘low’ being the lowest level and ‘critical’ the highest level. It is therefore recommended to perform an update if the patch is available.
OpenSSL hit the headlines in April 2014 because of the critical Heartbleed bug, which made it possible to read out the internal memory of a web server. Vulnerabilities in OpenSSL often have a major impact. For example, the software is found on more than 98 percent of all Debian machines, which is a Linux version that is popular for use on servers. These use OpenSSL to offer secure SSL and TLS connections. Google has been using a fork of the software called BoringSSL since 2014.