OpenSSL Patches Vulnerabilities

Thursday, December 3, 2015 @ 04:12 PM gHale

OpenSSL Software Foundation released patches today for the open-source cryptographic library. In addition, the foundation said two of its older branches will likely not get any more security updates.

This could be a problem for some enterprise applications that bundle the 0.9.8 or 1.0.0 versions of OpenSSL and for older systems where updates are rare.

OpenSSL Patches Forgery Flaw
Vulnerabilities in Web Security Certificates
Malware Growing by the Minute
Malware Masquerades as Chrome

OpenSSL 1.0.0t and 0.9.8zh, which released Thursday, should be the last updates because support for these two branches will end on Dec. 31, as listed in the organization’s release strategy document.

The 1.0.0t and 0.9.8zh versions contain a fix for memory leak vulnerability of moderate severity that can end up triggered with malformed X509_ATTRIBUTE structures. Version 0.9.8zh also fixes a low-impact race condition when handling PSK identity hints.

Versions 1.0.2e and 1.0.1q also released Thursday, to fix two other moderate vulnerabilities, one that affects only the 1.0.2 branch and one that affects both.

Support for the 1.0.1 branch should end Dec. 31, 2016 and for the 1.0.2 branch on Dec. 31, 2019. Applications and systems that still rely on OpenSSL 0.9.8 or 1.0.0 should end up updated as soon as possible to one of these versions.