Just before 9 a.m. MST this morning, developers at OpenSSL released four patches—versions 0.9.8zh, 1.0.0t, 1.0.1q, and 1.0.2e—for discovered OpenSSL security vulnerabilities. These patches fix a total of four vulnerabilities, three of which were rated as moderate and one rated low.
To see the full list of vulnerabilities, see OpenSSL Security Advisory [3 Dec 2015].None of the bugs listed affects SSL Certificates; no certificate management-related actions are needed.
IT Administrators should update to the latest instances of OpenSSL:
Source code for the OpenSSL patches is available at OpenSSL Cryptography and SSL/TLS Toolkit.
OpenSSL will stop supporting OpenSSL versions 1.0.0 and 0.9.8 on December 31, 2015. They anticipate that versions 1.0.0t and 0.9.8zh will be the last releases for these versions; no additional fixes will be released. If you are still using either of these versions, please upgrade to a later version, preferably 1.0.2.
The OpenSSL community (devoted researchers and security experts) is dedicated to finding and fixing vulnerabilities in the OpenSSL framework; they work with other online software provides and open source developers to keep OpenSSL security strong. Applying patches takes time and effort, but risks associated with not applying patches are more costly. Take the steps to keep your OpenSSL code secure.