The OpenSSL Foundation is set to release a handful of patches for undisclosed security vulnerabilities in its widely used open source software later this week, including one that has been rated "high" severity.
In a mailing list
note published last night, Matt Caswell
of the OpenSSL Project Team announced that OpenSSL versions 1.0.2a
, and 0.9.8zf
will be released Thursday.
"These releases will be made available on 19th March," Caswell wrote. "They will fix a number of security defects. The highest severity defect fixed by these releases is classified as "high" severity."
OpenSSL is an open-source implementation of the SSL and TLS protocols. It's a technology that's widely used by almost every websites to encrypt web sessions, even the Apache web server that powers almost half of the websites over the Internet utilizes OpenSSL.
Further details on the mystery security vulnerabilities (CVE-2015-0209, CVE-2015-0285, CVE-2015-0288) are unavailable at this time, although some industry experts have speculated that this high severity flaw could be another POODLE or Heartbleed bug, worst TLS/SSL flaws that are still believed to be affecting websites on Internet today.
Heartbleed was discovered in April last year in an earlier version of OpenSSL, which allowed hackers to read the sensitive contents of users' encrypted data, such as credit card transactions and even steal SSL keys from Internet servers or client software.
Also, in June the same year a serious Man-in-the-Middle (MITM) vulnerability was discovered and fixed by the OpenSSL Project Team. However, the vulnerability wasn't quite as severe as the Heartbleed flaw, but it's serious enough to decrypt, read or manipulate the encrypted data, particularly affecting Android users.
Months later, another critical flaw, POODLE -- Padding Oracle On Downgraded Legacy Encryption -- was discovered in the decade old but widely used Secure Sockets Layer (SSL) 3.0 cryptographic protocol that could allowed hackers to decrypt the contents of encrypted connections to websites.
More recently, a new flaw, dubbed FREAK -- Factoring Attack on RSA-EXPORT Keys -- discovered that allowed an attacker to force SSL clients including OpenSSL, to downgrade to weaken ciphers that can be easily broken, potentially allowing them to eavesdrop on encrypted networks by conducting Man-in-the-Middle attacks.
Almost every big brand was affected by the dangerous FREAK flaw, including Apple and Android smartphone devices, BlackBerry devices and cloud services, as well as every version of Windows operating system.
So, OpenSSL is an important software project and is ranked first under the Linux Foundation’s Core Infrastructure Initiative given its widespread use and lack of in-depth security review.
Major companies, including Google, Facebook, and Cisco, are funding the Internet's "Core Infrastructure Initiative
," a US$2 Million-a-year project dedicated to supporting and auditing open-source projects.