The OpenSSL Software Foundation patched four vulnerabilities in the cryptographic software library on Thursday, likely marking the last time that two older versions of the library will receive updates.
The group announced back in December 2014 that it would cease support for two of OpenSSL branches, 1.0.0 and 0.9.8 at the end of the 2015. Yesterday, in a security advisory, the Foundation said it anticipates this week’s updates will be the last those builds receive.
Project maintainers are urging users of the older branches, which date back to 2010 and 2005, to upgrade to later versions. Users of versions 1.0.1 and 1.0.2 still have some time to find a contingency plan however – the Foundation plans to support the builds until the end of 2016 and the end of 2019 respectively.
OpenSSL Patches Multiple Vulnerabilities: Original release date: December 03, 2015OpenSSL has released updates… https://t.co/IHqY5SFc5b
— US-CERT (@USCERT_gov) December 3, 2015
Three of the four bugs fixed this week are marked moderate, including one which affects a signature verification routine that can be leveraged to crash an operation and be exploited in a denial of service attack.
“Any application which performs certificate verification is vulnerable including OpenSSL clients and servers which enable client authentication,” the advisory says.
Another vulnerability, a memory leakage issue, affects both versions 1.0.0 and 0.9.8, while another, a race condition, affects 1.0.0 — meaning users of those builds will want to update before support ends in four weeks.
The updates graduate version 0.9.8 to 0.9.8zh, version 1.0.0 to 1.0.0t, version 1.0.1 to 1.0.1q, and version 1.0.2 to 1.0.2e.
As Heartbleed demonstrated last year, some companies unknowingly bundle old OpenSSL packages with new ones and keep shoddy records of what’s deployed on their systems – part of the reason it took some several months to determine whether or not their systems were vulnerable to the bug. Just this week researchers at Rapid7 discovered a gateway device manufactured by industrial automation firm Advantech that’s still vulnerable to Heartbleed, a year and a half after the bug was disclosed.