​Vital OpenSSL patch coming

Get ready to update your servers, an important OpenSSL patch is on its way.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

If you're doing business on the Internet, chances are your servers are using OpenSSL for your Transport Layer Security (TLS) and Secure Sockets Layer (SSL) e-commerce transactions. For example, OpenSSL is used on 98.7 percent of Debian Linux servers.


So, when Mark Cox, senior director of Red Hat product security and a founding OpenSSL member, writes the "OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2f and 1.0.1r, [which] will fix two security defects, one of 'high' severity affecting 1.0.2 releases, and one 'low' severity affecting all releases", I pay attention.

A high severity OpenSSL bug is defined as including "issues that are of a lower risk than critical, perhaps due to affecting less common configurations, or which are less likely to be exploitable. These issues will be kept private and will trigger a new release of all supported versions." This is not as bad as a critical hole but I'll be updating my servers as soon as the patches are available.

We don't know exactly what the patches will fix. Cox declined to add anything further to his announcement. With OpenSSL forming the spine of network and web security, I don't need to know the details to know this is a must-fix bug.

The patches will be made available on 28th January between approximately 1 PM and 5 PM, Coordinated Universal Time (UTC). Sources at Canonical, Red Hat, and SUSE tell me that they'll make these patches available on their Linux distributions on the same day.

In the meantime, if you're still using the older OpenSSL 1.0.0 and 0.9.8 releases: Stop. These versions are no longer supported as of December 31st, 2015 and they will no longer receive security updates.

Editorial standards