Just before 9 a.m. MST this morning, developers at OpenSSL released four patches—versions 0.9.8zh, 1.0.0t, 1.0.1q, and 1.0.2e—for discovered OpenSSL security vulnerabilities. These patches fix a total of four vulnerabilities, three of which were rated as moderate and one rated low.
To see the full list of vulnerabilities, see OpenSSL Security Advisory [3 Dec 2015].
None of the bugs listed affects SSL Certificates; no certificate management-related actions are needed.
IT Administrators should update to the latest instances of OpenSSL:
- OpenSSL 1.0.2d (and below) users should upgrade to 1.0.2e
- OpenSSL 1.0.1p (and below) users should upgrade to 1.0.1q
- OpenSSL 1.0.0s (and below) users should upgrade to 1.0.0t
- OpenSSL 0.9.8zg (and below) users should upgrade to 0.9.8zh
Source code for the OpenSSL patches is available at OpenSSL Cryptography and SSL/TLS Toolkit.
Reminder to Upgrade Your OpenSSL
OpenSSL will stop supporting OpenSSL versions 1.0.0 and 0.9.8 on December 31, 2015. They anticipate that versions 1.0.0t and 0.9.8zh will be the last releases for these versions; no additional fixes will be released. If you are still using either of these versions, please upgrade to a later version, preferably 1.0.2.
Keeping OpenSSL Secure
The OpenSSL community (devoted researchers and security experts) is dedicated to finding and fixing vulnerabilities in the OpenSSL framework; they work with other online software provides and open source developers to keep OpenSSL security strong. Applying patches takes time and effort, but risks associated with not applying patches are more costly. Take the steps to keep your OpenSSL code secure.