12-04-2015

OpenSSL Patches Four Security Vulnerabilities

Just before 9 a.m. MST this morning, developers at OpenSSL released four patches—versions 0.9.8zh, 1.0.0t, 1.0.1q, and 1.0.2e—for discovered OpenSSL security vulnerabilities. These patches fix a total of four vulnerabilities, three of which were rated as moderate and one rated low.

To see the full list of vulnerabilities, see OpenSSL Security Advisory [3 Dec 2015].

None of the bugs listed affects SSL Certificates; no certificate management-related actions are needed.

IT Administrators should update to the latest instances of OpenSSL:

  • OpenSSL 1.0.2d (and below) users should upgrade to 1.0.2e
  • OpenSSL 1.0.1p (and below) users should upgrade to 1.0.1q
  • OpenSSL 1.0.0s (and below) users should upgrade to 1.0.0t
  • OpenSSL 0.9.8zg (and below) users should upgrade to 0.9.8zh

Source code for the OpenSSL patches is available at OpenSSL Cryptography and SSL/TLS Toolkit.

Reminder to Upgrade Your OpenSSL

OpenSSL will stop supporting OpenSSL versions 1.0.0 and 0.9.8 on December 31, 2015. They anticipate that versions 1.0.0t and 0.9.8zh will be the last releases for these versions; no additional fixes will be released. If you are still using either of these versions, please upgrade to a later version, preferably 1.0.2.

Keeping OpenSSL Secure

The OpenSSL community (devoted researchers and security experts) is dedicated to finding and fixing vulnerabilities in the OpenSSL framework; they work with other online software provides and open source developers to keep OpenSSL security strong. Applying patches takes time and effort, but risks associated with not applying patches are more costly. Take the steps to keep your OpenSSL code secure.

UP NEXT

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

Featured Stories

VMC Blog Featured Image

Getting Your Logo in Your User's Inbox: Tips Learned from the VMC Gmail Pilot

What Makes Digital Signatures Secure

How Vaccine Passports Could Change Digital Identity