OpenSSL preps fix for mystery high severity hole

The OpenSSL Project will repair a "high severity" security hole in updates due Thursday.

Information is thin on the ground. El Reg has asked OpenSSL for more details to help admins prepare for the patching.

The hole will be patched as part of a series of fixes that will land on 19 March and apply to versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf.

British OpenSSL staffer Matt Caswell announced the existence of the vulnerability in a mailing list note.

"They (the patches) will fix a number of security defects," Caswell says.

"The highest severity defect fixed by these releases is classified as 'high' severity."

No further information is offered and industry types had not yet heard of further details.

That creepy feeling of living for three more days with a known "high" vuln in your OpenSSL stack. Welcome to software written in C.

— andreasdotorg (@andreasdotorg) March 16, 2015

Already some IT bods are speculating the new bug could be the next Heartbleed vulnerability.

The flaw comes as a significant audit kicks off into OpenSSL under a US$1.2 million industry commitment to harden open source technologies.

OpenSSL is first off the rank under the Linux Foundation’s Core Infrastructure Initiative given its widespread use and lack of in-depth security review.

In January the OpenSSL Project squashed eight security holes including problems with certificates and denial of service. ®