OpenSSL releases important security update on December 8th
Written by: Valerie Dawson
Next Tuesday, December 8th, an important security update for OpenSSL will be released, as announced by the OpenSSL Project Team. OpenSSL version 1.1.1i will fix one or more vulnerabilities whose impact has been marked as "high". Rarely are vulnerabilities with such an impact found in OpenSSL.
A new version of the software will be released several times a year, fixing security vulnerabilities, among other things. OpenSSL has four levels to assess the impact of vulnerabilities: low, moderate, high and critical. For vulnerabilities that have been assessed as high and critical, the OpenSSL team will release a new version. The other two categories of vulnerabilities will be fixed during scheduled updates
Critical vulnerabilities allow attackers, for example, to take over servers or steal the server's private keys, which can be used to decrypt encrypted traffic. This allows attackers to steal all kinds of sensitive data. This is also possible with security breaches rated high, but abuse may be more difficult or may only affect systems with certain configurations.
The last OpenSSL vulnerability whose impact was rated as high dates back to April this year, which was the first high vulnerability in three years. The vulnerability made it possible to carry out denial of service attacks against servers.
In 2018 and 2019, no vulnerabilities in the high category were discovered. Details about the problem patched next week have not yet been given. OpenSSL version 1.1.1i will be released next Tuesday, December 8th between 14:00 and 18:00 Dutch time.
OpenSSL is one of the most widely used software for encrypting Internet connections. Websites use it, for example, to encrypt traffic to and from visitors. Vulnerabilities in OpenSSL can have very large consequences for the internet, as the Heartbleed Bug has shown in the past.