14 DAY TRIAL // The OpenSSL project has delivered on its promise made at the start of the week and released versions 1.0.1r and 1.0.2f, which address two security bugs, one labeled as "high severity" and one as a "low severity" issue.
The "low severity" security bug that was fixed in the aforementioned releases is CVE-2015-3197, a bug that allows attackers to force SSLv3 connections through the less-secure SSLv2 version.
The OpenSSL project shows that disabling SSLv2 ciphers on your server won't help, and that incoming clients can still complete SSL handshakes with the server and establish a not-so-secure connection via SSLv2.
The second issue, the one labeled as "high severity," is CVE-2016-0701, which is an attack that leverages a Diffie-Hellman (DH) key that's sometimes reused by some software.
Attackers could exploit this vulnerability by making multiple connections and searching for the vulnerable key to exploit.
Since generating Diffie-Hellman (DH) keys is quite CPU intensive, some software will intentionally reuse these keys per design to improve performance. Applying this update and following some of the tips put forward by the OpenSSL team will allow software to safely reuse keys if needed.
This second vulnerability affected only the 1.0.2 branch while the first one, rated as low, impacted both the 1.0.1 and the 1.0.2 release trains.
As always, the OpenSSL update will trigger similar security releases in all the projects and services that heavily use the library, such as Node.js, Akamai, and many others.