OpenSSL patches "high" severity flaws in latest release

The update fixes a security vulnerability with the highest severity rating, which could allow a hacker to launch a denial-of-service attack against a server.

(Image: stock photo via CNET)

Two "high" severity flaws have been fixed in the latest version of OpenSSL.

The development project released versions 1.0.2a, 1.0.1m, 1.0.0r, and 0.9.8zf on Thursday after a number of flaws were reported privately.

Read this

Why Shellshock makes Heartbleed look insignificant

The new vulnerability in the Bash shell is the worst we've seen in many years. No software on critical systems can be assumed as safe.

Read More

One of the most severe flaws could be exploited to launch a denial-of-service attack against a server running the affected 1.0.2 version of the software.

The second flaw was initially classified as "low" priority, but was upgraded after recent studies showed that server RSA export ciphersuite support is not as rare as first thought.

A total of 12 vulnerabilities were patched in this release.

OpenSSL serves as one of the most popular open-source and widely available toolkits for implementing SSL and TLS. It's deployed at some of the largest and best-known services, including Facebook, Google, Yahoo, and across the federal government.

Although most developers and implementers are finding out now, major vendors are said to have been given a prior heads up in order to patch systems ahead of the release of details relating to the flaw.

Confidence in the open-source project is rebuilding after a series of high-profile flaws threatened thousands of servers, websites, and databases protected by the software.

In April last year, a bug known as Heartbleed was discovered in an earlier version of OpenSSL, which could've allowed an attacker to reveal the contents of encrypted data, such as credit card transactions -- even the SSL keys in question. The flaw had gone undetected in the code for years.

More recently, a new flaw dubbed FREAK, allowed an attacker to potentially eavesdrop on encrypted networks by conducting man-in-the-middle attacks.