The OpenSSL project team has sent a rather cryptic alert that it will be patching a high severity bug this Thursday, July 9.
The announcement is terse: “The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2d and 1.0.1p. These releases will be made available on 9th July. They will fix a single security defect classified as “high” severity. This defect does not affect the 1.0.0 or 0.9.8 releases.”
Unfortunately, the mystery bug is likely to be a big deal. OpenSSL is a security standard encrypting communications between users and the servers provided by a majority of online services. As such, it’s a basic component of a wide swath of the web, affecting various applications and systems, and even embedded devices. That’s one of the reasons why the Heartbleed flaw took months and months to patch even after an update was released.
Heartbleed, a mistake written into OpenSSL, made it viable for hackers to extract data from massive databases containing user names, passwords, private data and so on.
According to OpenSSL’s security policy, “high-severity” flaws are those that affect common configurations and are likely to be exploitable. These can range from server denial-of-service to significant leak of server memory to remote code execution.
“This type of a pre-announcement is intended to give organizations a chance to prepare,” Tim Erlin, director of IT security and risk strategy at Tripwire, said via email. “A huge part of the heartburn with Heartbleed came from the scramble to identify where organizations were vulnerable and how to apply patches. In this case, a little organization can go a long way to a smoother patching cycle. Software vendors who use OpenSSL can be prepared to patch their code and ship new versions faster, and end-users can inventory where they have OpenSSL and set up appropriate testing environments ahead of time.”