OpenSSL is scheduled to update two versions of the software this week, patching a pair of vulnerabilities in the process.
The OpenSSL project this morning said the updates will moveĀ users to versions 1.0.2f and 1.0.1r and should be available Thursday between 8 a.m. and noon Eastern time.
“They will fix two security defects, one of ‘high’ severity affecting 1.0.2 releases, and one ‘low’ severity affecting all releases,” OpenSSL said in its advisory.
According to the OpenSSL security policy, published in late 2014, high severity vulnerabilities trigger new releases, but are less severe than critical bugs. Vulnerabilities are ranked high severity if they’re happening in less common configurations, OpenSSL said. Critical vulnerabilities, for example, affect common configurations and are much easier to exploit, can be attacked remotely, and will leak memory such as private crypto keys.
No specific details about the flaws are available.
OpenSSL was last patched in December when four flaws were fixed in 0.9.8 and 1.0.0, the final security patches for both versions. Versions 1.0.1 and 1.0.2 will receive security support through the end of 2016 and 2019 respectively.
OpenSSL is one of the more widely deployed cryptographic libraries, living in not only homespun applications, but also in commercial software products. Since the discovery of the Heartbleed vulnerability in the spring of 2014, OpenSSL has made massive leaps in cleaning up its code and processes.
Shortly after Heartbleed, funding was funneled in OpenSSL’s direction by the Core Infrastructure Initiative, giving it enough resources to hire its first full-time employees and develop a road map for overhauling critical areas of the code, including the TLS state machine.
