OpenSSL Severe Vulnerability to be Revealed March 19th

The OpenSSL project has announced that on March 19th they will be releasing updates to address what they are referring to as a "highest severity defect" affecting all of their supported versions. Details of the vulnerability are being kept under embargo until the patches are released, though this time the OpenSSL has had the courtesy to disclose the issue to the LibreSSL core team. Here's a snippet from the OpenSSL security policy on high security vulnerabilities:

high severity issues. This includes issues affecting common configurations which are also likely to be exploitable. Examples include a server DoS, a significant leak of server memory, and remote code execution. These issues will be kept private and will trigger a new release of all supported versions. We will attempt to keep the time these issues are private to a minimum; our aim would be no longer than a month where this is something under our control, and significantly quicker if there is a significant risk or we are aware the issue is being exploited.

There is speculation on social media that the lead time on this vulnerability means that it will have "a dope logo" to accompany its disclosure. This incident also represents a chance to see how far LibreSSL's fork has come relative to the parent OpenSSL codebase. It would be an encouraging indicator of LibreSSL's progress if this particular defect has managed to already have been pre-emptively removed from their code.

One thought on “OpenSSL Severe Vulnerability to be Revealed March 19th

  1. It's frustrating, I simply don't trust my own server anymore. I wish they would stop discovering so dramatic bugs. Thanks for reporting this, considering it's not exactly bitcoin news. useful information.

Leave a Reply to Oh not again Cancel reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>