OpenSSL Patches Four Security Vulnerabilities

December 3, 2015 Jason Sabin

Just before 9 a.m. MST this morning, developers at OpenSSL released four patches—versions 0.9.8zh, 1.0.0t, 1.0.1q, and 1.0.2e—for discovered OpenSSL security vulnerabilities. These patches fix a total of four vulnerabilities, three of which were rated as moderate and one rated low.

To see the full list of vulnerabilities, see OpenSSL Security Advisory [3 Dec 2015].

None of the bugs listed affects SSL Certificates; no certificate management-related actions are needed.

IT Administrators should update to the latest instances of OpenSSL:

  • OpenSSL 1.0.2d (and below) users should upgrade to 1.0.2e
  • OpenSSL 1.0.1p (and below) users should upgrade to 1.0.1q
  • OpenSSL 1.0.0s (and below) users should upgrade to 1.0.0t
  • OpenSSL 0.9.8zg (and below) users should upgrade to 0.9.8zh

Source code for the OpenSSL patches is available at OpenSSL Cryptography and SSL/TLS Toolkit.

Reminder to Upgrade Your OpenSSL

OpenSSL will stop supporting OpenSSL versions 1.0.0 and 0.9.8 on December 31, 2015. They anticipate that versions 1.0.0t and 0.9.8zh will be the last releases for these versions; no additional fixes will be released. If you are still using either of these versions, please upgrade to a later version, preferably 1.0.2.

Keeping OpenSSL Secure

The OpenSSL community (devoted researchers and security experts) is dedicated to finding and fixing vulnerabilities in the OpenSSL framework; they work with other online software provides and open source developers to keep OpenSSL security strong. Applying patches takes time and effort, but risks associated with not applying patches are more costly. Take the steps to keep your OpenSSL code secure.

Previous Article
Moving Beyond 1024-Bit Encryption
Moving Beyond 1024-Bit Encryption

An increase in computing power suggests that 1024-bit encryption is no longer secure enough to protect comp...

Next Article
A Look at Google’s Accelerated Mobile Pages
A Look at Google’s Accelerated Mobile Pages

The benefits of Google’s new project AMP are obvious, but the concerns warrant careful attention as well.