Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Awoogah: Get ready to patch 'severe' bug in OpenSSL this Thursday

Heads up for July 9 security vulnerability fix

Sysadmins and anyone else with systems running OpenSSL code: a new version of the open-source crypto library will be released this week to "fix a single security defect classified as 'high' severity."

The bug, we're told, will be addressed in versions 1.0.2d and 1.0.1p of the software. The vulnerability does not affect the 1.0.0 or 0.9.8 series. OpenSSL is a widely used library that provides encrypted HTTPS connections for countless websites, as well as other secure services.

"The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2d and 1.0.1p," wrote developer Mark Cox in an email today.

"These releases will be made available on 9th July. They will fix a single security defect classified as 'high' severity. This defect does not affect the 1.0.0 or 0.9.8 releases."

It's not yet known what exactly the vulnerability is: that would give the game away to attackers hoping to exploit the hole before the patch is released to the public. According to the OpenSSL team, a "high severity" bug includes...

issues affecting common configurations which are also likely to be exploitable. Examples include a server denial-of-service, a significant leak of server memory, and remote code execution. These issues will be kept private and will trigger a new release of all supported versions. We will attempt to keep the time these issues are private to a minimum; our aim would be no longer than a month where this is something under our control, and significantly quicker if there is a significant risk or we are aware the issue is being exploited.

So this week's bug could be anything from a denial-of-service (allowing an attacker to crash an online service) to a Heartbleed-style memory leak to a remote-code execution hole (allowing a miscreant to run malicious code on a vulnerable system).

The most recent high severity bugs were fixed in March: they were a denial-of-service vulnerability (CVE-2015-0291), and a bug that allowed the strength of crypto keys to be weakened (CVE-2015-0204). ®

 

Similar topics

Similar topics

Similar topics

TIP US OFF

Send us news


Other stories you might like