OpenSSL Releases Patches to Address “Severe” Security Holes

OpenSSL said last Tuesday, March 17, that they plan to release several code fixes address a number of vulnerabilities, which include those that have been classified as “high” severity. There had been speculation building around these vulnerabilities, as the bug was hinted as “the next Heartbleed” according to reports.

The fix was released today, two days after their announcement. Today’s security bulletin noted that the following just-released versions are all secure:

• OpenSSL version 1.0.2a (addresses CVE-2015-0209, CVE-2015-0285, and CVE-2015-0288)
• OpenSSL version 1.0.1m (addresses CVE-2015-0288)
• OpenSSL version 1.0.0r (addresses CVE-2015-0288)
• OpenSSL version 0.9.8zf (addresses CVE-2015-0288)

According to the OpenSSL advisory, these versions are now available for download via HTTP and FTP from the following master locations: http://www.openssl.org/source/ and ftp://ftp.openssl.org/source/.

Server administrators should update their versions of OpenSSL to the appropriate versions, depending on what they have installed.

OpenSSL is one of the most commonly used implementations of Secure Sockets Layer (SSL) (also known as “transport layer security” or TLS), which is the backbone of secure Internet communications today. SSL/TLS allows for communications between computers to be encrypted, preventing traffic from being eavesdropped by attackers. This is essential for any transaction online that requires secrecy and integrity.

OpenSSL is widely available for various Unix-like operating systems (such as Linux and Mac OS X), so any vulnerability could put many secure communications at risk.

We will update this blog post with solutions deployed by Trend Micro Deep Security.