The team behind the popular OpenSSL cryptographic library has warned of an impending patch, due for release this Thursday, which fixes an as-yet unreleased serious security vulnerability.
The OpenSSL project hit headlines in April last year when details of the Heartbleed vulnerability
were released. Versions of the library, which is used by numerous operating systems and applications to provide encryption, decryption and signing functionality, stretching back to 2011 were found to be vulnerable to a serious flaw that was proven to allow a remote attacker to discover the private key from within the memory of the server without leaving a single trace. The flaw was quickly fixed by the project maintainers following its discovery, but its far-reaching nature led to several forks
as dissatisfied users sought to create their own more secure equivalents.
Despite the widespread nature of Heartbleed, and the discovery of another serious vulnerability
in June 2014, OpenSSL remains one of the most popular cryptographic libraries around. Unfortunately for its many users, the bad news continues: Matt Caswell, OpenSSL maintainer, has warned that an upcoming release will fix yet another serious vulnerability in the software.
'The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf,
' Caswell wrote
in an announcement to the project mailing list. 'These releases will be made available on 19th March. They will fix a number of security defects. The highest severity defect fixed by these releases is classified as "high" severity,
' Caswell added, referring to the project's top level of severity - equivalent to that given to the Heartbleed attack.
Details of the vulnerability are being kept private until the patched builds are released, to prevent widespread attacks. More information on the nature of the vulnerability is expected to be released alongside the updates on Thursday.