OpenSSL preps fix for mystery high severity hole
Speculation builds about heir to Heartbleed or pal for POODLE
The OpenSSL Project will repair a "high severity" security hole in updates due Thursday.
Information is thin on the ground. El Reg has asked OpenSSL for more details to help admins prepare for the patching.
The hole will be patched as part of a series of fixes that will land on 19 March and apply to versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf.
British OpenSSL staffer Matt Caswell announced the existence of the vulnerability in a mailing list note.
"They (the patches) will fix a number of security defects," Caswell says.
"The highest severity defect fixed by these releases is classified as 'high' severity."
No further information is offered and industry types had not yet heard of further details.
That creepy feeling of living for three more days with a known "high" vuln in your OpenSSL stack. Welcome to software written in C.— andreasdotorg (@andreasdotorg) March 16, 2015
The flaw comes as a significant audit kicks off into OpenSSL under a US$1.2 million industry commitment to harden open source technologies.
OpenSSL is first off the rank under the Linux Foundation’s Core Infrastructure Initiative given its widespread use and lack of in-depth security review.
In January the OpenSSL Project squashed eight security holes including problems with certificates and denial of service. ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Patch Tuesday
- Trusted Platform Module
- Zero Day Initiative
- Zero trust