Sysadmins, brace yourselves: OpenSSL has announced upcoming security fixes will fix a “high” impact flaw.
Every OpenSSL release since the infamous Heartbleed vulnerability1 of April 2014 has been met with nervous anticipation, and that applies as much to the upcoming 1.0.2h, 1.0.1t releases as others before it.
The last major flare-up on this front coincided with the DROWN vulnerability, which emerged in early March.
The forthcoming OpenSSL releases, due out next Tuesday, are not accompanied by a logo or a catchy title, de rigueur for serious vulnerabilities for the last two years or so.
This is a good thing.
Experts are nonetheless jokingly being advised to change their passwords and stock up on beans… just in case.
1The Heartbleed bug meant attackers could read the memory of the systems protected by the vulnerable versions of OpenSSL. Anything in memory – SSL private keys, user passwords, and more – were at risk of theft as a result.