To prevent another Heartbleed, severe OpenSSL flaw to be patched

OpenSSL will be updated Thursday with a number of fixes for previously-undisclosed security flaws, including one that has been rated "high" severity.

In a note to developers, the OpenSSL Project announced that versions 1.0.2a, 1.0.1m, 1.0.0r, and 0.9.8zf will be released Thursday.

See also

How the NSA shot itself in the foot by denying prior knowledge of Heartbleed vulnerability

In admitting it didn't know about a massive security flaw in one of the Web's most used encryption libraries, the NSA inadvertently revealed a massive institutional failure.

Read now

The security vulnerabilities have been withheld in order to prevent widespread and far-reaching attacks.

The update marks the latest series of releases that aims to patch weaknesses in the software.

OpenSSL serves as one of the most popular open-source and widely available toolkits for implementing SSL and TLS. But confidence in the project was shaken after a series of high-profile flaws that threatened thousands of servers, websites, and databases protected by the software.

In April last year, a bug known as Heartbleed was discovered in an earlier version of OpenSSL, which could've allowed an attacker to reveal the contents of encrypted data, such as credit card transactions -- even the SSL keys in question.

Months later, even after the scramble to update servers was over, hundreds of thousands of servers were left vulnerable to the flaw.

More recently, a new flaw dubbed FREAK, allowed an attacker to potentially eavesdrop on encrypted networks by conducting man-in-the-middle attacks.

Almost every company was affected, including Apple and Google mobile devices, BlackBerry devices and cloud services, as well as every version of Windows.

Companies affected by the flaw, including Google, Facebook, and Cisco, rallied around the internet's "core infrastructure" by funding projects like OpenSSL.