New OpenSSL vulnerability could be the next Heartbleed
The OpenSSL Project team has issued a warning about a new "high severity" flaw. More details about it will be released on Thursday.
"The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2d and 1.0.1p. These releases will be made available on 9th July. They will fix a single security defect classified as 'high' severity. This defect does not affect the 1.0.0 or 0.9.8 releases". This alert and update information was released on Monday.
The OpenSSL Project is a global community of volunteers that are working towards developing an open source toolkit that include Secure Sockets Layer (SSL), Transport Layer Security (TLS) protocols and also has a strong general purpose cryptography library. This open source toolkit is meant to be a full-feature, commercial grade toolkit.
This new alert has got the entire industry talking because of the 2014 OpenSSL-Heartbleed connection. At the 2014 Codenomicon, the security engineers found a bug that could give the hackers access to all the user passwords. But that wasn’t the end of the story. The bug could also allow the hackers to trick the users into using fake versions of popular websites.
That bug was then called Heartbleed. It affected most of the Internet.
Tim Erlin, director of IT security and risk strategy at the advanced threat protection firm Tripwire says: "A huge part of the heartburn with Heartbleed came from the scramble to identify where organizations were vulnerable and how to apply patches. In this case, a little organization can go a long way to a smoother patching cycle".
Erlin further says "Software vendors who use OpenSSL can be prepared to patch their code and shop new versions faster, and end-users can inventory where they have OpenSSL and set up appropriate testing environments ahead of time".
Published under license from ITProPortal.com, a Net Communities Ltd Publication. All rights reserved.