System Administrators and anyone else relying on OpenSSL be warned. A single security vulnerability classified as “high severity” has been found. You should be prepared to switch to a new version of the open-source crypto library that will be released today, 9th July.
There are still not much details of this vulnerability except that it doesn’t affect the 1.0.0 or 0.9.8 releases.
“The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2d and 1.0.1p. These releases will be made available on 9th July. They will fix a single security defect classified as ‘high’ severity. This defect does not affect the 1.0.0 or 0.9.8 releases.”
The mystery surrounding the vulnerability was to prevent cybercriminals from exploiting the hole before the fix is released to the public.
There has been speculation that this vulnerability could be another Heartbleed or POODLE bug that were considered to be the worst TLS/SLL vulnerabilities that may still be affecting websites on the Internet today.
Here s a little history on both of these bus which we reported in previous advisories. Heartbleed, discovered in April last year, was a bug in an earlier version of OpenSSL that allowed hackers to read sensitive contents of victims’ encrypted data, including credit card details. It also allowed the hackers to steal crypto SSL keys from the Internet servers or client software.
Some months later, another critical flaw known as POODLE (Padding Oracle On Downgraded Legacy Encryption) in the old but widely used SSL 3.0 cryptographic protocol that allowed hackers to decrypt the contents of encrypted connections.
For more of high severity vulnerabilities that were fixed in March this year, go here.
Source
1. The Hacker News.
2. InfoWorld (image, broken link)