OpenSSL will release security patches tomorrow to fix undisclosed 0-day high-risk Vulnerabilities
OpenSSL officially issued a vulnerability warning, reminding the system administrator to prepare for OpenSSL upgrade. The latest version of OpenSSL will be released on April 9, July 9 (this Thursday) to fix an undisclosed high-risk vulnerability. Many security experts speculate that this high-risk vulnerability may be another "heartbleed" vulnerability ".
Mysterious high-risk 0-Day Vulnerability
OpenSSL is a widely used open-source software library that uses SSL and TLS to provide encrypted Internet connections to most websites.
The OpenSSL Project Team announced on Monday that the new versions of the OpenSSL encryption library 1.0.2d and 1.0.1p will address a security vulnerability located at "high risk.
This mysterious security vulnerability does not affect version 1.0.0 or 0.9.8. No more details are provided. In a list of emails published the day before yesterday, developer Mark J Cox states:
"The OpenSSL Project Team announced that the new OpenSSL versions 1.0.2d and 1.0.1p will be released on July 15, July 9. It is worth noting that both versions have fixed a high-risk vulnerability. However, this vulnerability does not affect version 1.0.0 or 0.9.8 ."
OpenSSL issued an official warning before releasing the new version, probably to prevent hackers from exploiting the vulnerability before the patch is released to the public.
Many security experts speculate that this high-risk vulnerability may be another Heartbleed vulnerability or POODLE vulnerability, which was once considered the worst TLS/SSL Vulnerability, today, people think they are still influencing websites on the Internet.
OpenSSL high-risk vulnerability Review
Heartbleed vulnerability: This vulnerability was discovered in early versions of OpenSSL in last April. It allows hackers to read sensitive content of victim encrypted data, including credit card details, it can even steal the encrypted SSL keys of network servers or client software.
POODLE vulnerability: several months later, another critical vulnerability known as Padding Oracle On Downgraded Legacy Encryption was found in the old but widely used SSL 3.0 Encryption protocol, this vulnerability allows attackers to decrypt encrypted connection content.
OpenSSL fixed a number of high-severity vulnerabilities, including denial of service (CVE-2015-0291) vulnerabilities, in an update in March this year that allowed attackers to attack and crash online services; there is also a FREAK Vulnerability (CVE-2015-0204) that allows attackers to force clients to use weak encryption.
Refer to thehackernews for proper modification. For more information, see FreeBuf hacker and geek.
Provides FTP + SSL/TLS authentication through OpenSSL and implements secure data transmission.
Use OpenSSL to generate certificates in Linux
Use OpenSSL to sign multi-domain certificates
OpenSSL details: click here
OpenSSL: click here
This article permanently updates the link address: