DigiCert Blog

OpenSSL Patches Four Security Vulnerabilities

No SSL Certificate management-related actions are needed at this time, but admins should patch OpenSSL framework as soon as possible.

Just before 9 a.m. MST this morning, developers at OpenSSL released four patches—versions 0.9.8zh, 1.0.0t, 1.0.1q, and 1.0.2e—for discovered OpenSSL security vulnerabilities. These patches fix a total of four vulnerabilities, three of which were rated as moderate and one rated low.

To see the full list of vulnerabilities, see OpenSSL Security Advisory [3 Dec 2015].

None of the bugs listed affects SSL Certificates; no certificate management-related actions are needed.

IT Administrators should update to the latest instances of OpenSSL:

  • OpenSSL 1.0.2d (and below) users should upgrade to 1.0.2e
  • OpenSSL 1.0.1p (and below) users should upgrade to 1.0.1q
  • OpenSSL 1.0.0s (and below) users should upgrade to 1.0.0t
  • OpenSSL 0.9.8zg (and below) users should upgrade to 0.9.8zh

Source code for the OpenSSL patches is available at OpenSSL Cryptography and SSL/TLS Toolkit.

Reminder to Upgrade Your OpenSSL

OpenSSL will stop supporting OpenSSL versions 1.0.0 and 0.9.8 on December 31, 2015. They anticipate that versions 1.0.0t and 0.9.8zh will be the last releases for these versions; no additional fixes will be released. If you are still using either of these versions, please upgrade to a later version, preferably 1.0.2.

Keeping OpenSSL Secure

The OpenSSL community (devoted researchers and security experts) is dedicated to finding and fixing vulnerabilities in the OpenSSL framework; they work with other online software provides and open source developers to keep OpenSSL security strong. Applying patches takes time and effort, but risks associated with not applying patches are more costly. Take the steps to keep your OpenSSL code secure.

Share on Facebook0Share on Google+0Tweet about this on TwitterShare on LinkedIn0

About Jason Sabin

DigiCert's Chief Security Officer, Jason Sabin, develops innovative products and features to simplify SAAS-based digital certificate management. Previously he oversaw Novell’s Security Review Board and built their first pen testing teams. He has filed over 50 patents, earning him the “Utah Genius” award.