14 DAY TRIAL // The much expected update for OpenSSL cryptographic library that promised a fix for a mysterious high-risk flaw is now available and it does not address a Heartbleed-grade glitch as it was suspected when the initial advisory was published.
The seriousness of the flaw is not in the FREAK or POODLE league, either as the only high-severity vulnerability patched is a denial-of-service (DoS) condition affecting version 1.0.2.
Pre-notification is standard procedure for high-severity issues
This is nothing to be disappointed about and should be regarded as very good news since it shows the library is widely integrated in various software and hardware products and it is responsible for a huge part of the secure communication over the web.
As for the advisory on Monday that kept researchers on the edge of the seat, OpenSSL’s security policy states that a pre-notification is issued prior to releasing a version that addresses high-severity problems; and DoS conditions are classified as such, along with significant leak of server memory, and remote code execution.
The better part of the fixes are moderately severe
Identified as CVE-2015-0291, the vulnerability has been reported by on February 26, 2015, by David Ramos of Stanford University. The fix was developed by Stephen Henson and Matt Caswell of the OpenSSL development team.
“If a client connects to an OpenSSL 1.0.2 server and renegotiates with an invalid signature algorithms extension a NULL pointer dereference will occur. This can be exploited in a DoS attack against the server,” reads the description of the vulnerability.
Most of the rest of the fixes included in the current OpenSSL release received the “moderate-severity” label and refer to issues like segmentation faults, null pointer errors and a problem with processing Base64 encoded data.
OpenSSL versions affected by the bugs disclosed in the security advisory on Thursday vary from 0.9.8 and 1.0.0 to 1.0.1 and 1.0.2. Users are advised to switch to the updated versions 0.9.8zf, 1.0.0r, 1.0.1m and 1.0.2a.
The security advisory on Thursday also reclassified the severity of the FREAK vulnerability (CVE-2015-0204) to "high" from the initial "low."