Awoogah – brown alert: OpenSSL preps 'high severity' security fixes

Developers behind the widely used OpenSSL encryption library have warned that they will issue fixes for a mix of bugs next Tuesday (1 March).

The patches will land right in the middle of the RSA Conference, infosec marketing's version of the Superbowl.

It's understood the bugs are significant (as in, patch as soon as you can) rather than devastating (drop everything, patch this instant). OpenSSL's pre-release advisory alone (extract below) provides few clues to what's coming, other than it rating the worst of the bugs due to be squashed as high severity.

The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2g, 1.0.1s.

These releases will be made available on 1st March 2016 between approximately 1300-1700 UTC. They will fix several security defects with maximum severity "high."

Some estimates suggest that up to two-thirds of all web servers use software reliant on open-source OpenSSL, so the technology is hugely significant to the smooth running of the internet.

Security watchers pay very close attention to OpenSSL vulnerabilities, particularly since the infamous Heartbleed attack of April 2014.

The Heartbleed bug meant attackers could read the memory of the systems protected by the vulnerable versions of OpenSSL. Pretty much anything in memory – SSL private keys, user passwords, and more – were at risk of theft as a result.

The latest flaw is more than likely to be significant rather than devastating.

Earlier this month a security audit and code review on OpenSSL by Sirrix AG (and sponsored by the BSI, the German Federal Office for Information Security) uncovered multiple problems in the source code. ®