Not logged in » Login
Apr 29 2016

OpenSSL: Fixes for Severe Bugs Ahead

Since the days of Heartbleed, developers working for the OpenSSL project and their customers have become pretty sensitive to any security issue that may pop up along the way. Meanwhile, security patches are handed out on a more regular basis (roughly every three months or faster if necessary) – and the next one is due next week.

According to the official notification, the project will offer two new versions of OpenSSL – dubbed 1.0.1t and 1.0.2h respectively – this upcoming Tuesday (May 3) between 1:00 PM and 4:00 PM CET. Both are intended to fix various vulnerabilities with a "high severity" rating – by definition, the second-worst class of OpenSSL flaws. So far, it's unclear which bugs will be eliminated; more information should be available from the project's Newslog page on the day of the planned release. More information about previous vulnerabilities and their security policy are available here and here.

If you're still wondering about the importance of OpenSSL security fixes, the following story may help you assess the situation: Two years ago, the Heartbleed bug caused a major upheaval among users and companies who had been working with vulnerable versions of OpenSSL for years, unaware that a missing bounds check could expose secret encryption keys and keys to server certificates as well as mail and message content. Last week, security experts at heise online – Germany's leading IT news service – found that their country's government, or more precisely: its Federal Ministry of Transport and Digital Infrastructure, was still operating a web server that was susceptible to Heartbleed. On Monday, April 25, they informed the government's CERT team, and from there it took until Thursday until the flawed server was finally upgraded. But that was only the first step; the second one, which involves revoking and replacing the old server certificate, still had to be carried out earlier this morning. In other words, criminal attackers could have easily gained access to certificate and encryption keys and set up a fake server – not exactly the best type of marketing for a ministry that counts IT security among its core responsibilities.


Comments on this article

No comments yet.

Please Login to leave a comment.


Please login

Please log in with your Fujitsu Partner Account.


» Forgot password

Register now

If you do not have a Fujitsu Partner Account, please register for a new account.

» Register now