OpenSSL project had announced on Thursday (April 28) upcoming
security fixes for several vulnerabilities affecting the crypto library.
Every OpenSSL release since the infamous Heartbleed
vulnerability1 of April 2014 has been met with nervous anticipation, and that
applies as much to the upcoming 1.0.2h, 1.0.1t which will be released on May 3
between 12:00 and 15:00 UTC. These releases will patch several flaws, including
ones rated 'high severity'.
Issues that have a high severity rating affect less common
configurations or are less likely to be exploitable. The forthcoming releases
are due to be out by next Tuesday. They are not accompanied by any logo or a
catchy title.
OpenSSL versions 1.0.0 and 0.9.8 are no longer supported and
they will not receive any security updates. Support for version 1.0.1 will end
on December 31, 2016.
These updates will be the third round in a year. In January,
the project released versions 1.0.2f and 1.0.1r to address a high severity flaw
that allows attackers to obtain information that can be used to decrypt secure
traffic, and a low severity SSLv2 cipher issue.
The last major flare-up on this front coincided with the
DROWN vulnerability, which emerged last month in March. DROWN is a serious flaw
that can be exploited to crack encrypted communications. DROWN affected a
quarter of the top one million HTTPS domains and one-third of all HTTPS websites
at the time of disclosure.