OpenSSL announced Monday that it will release updates to patch a “high severity” vulnerability this Thursday. No further details were given other than the release, OpenSSL versions 1.0.1p and 1.0.2d, will fix a “single security defect” which does not impact versions 1.0.0 or 0.9.8, the announcement said.
Flaws allowing server DoS, “a significant leak of server memory,” and remote code execution are all listed by OpenSSL as examples of high severity security issues.
Tim Erlin, director of IT security and risk strategy, at Tripwire told SCMagazine.com via email correspondence that the pre-announcement will give software venders and end-users time to prepare for the update. “A huge part of the heartburn with Heartbleed came from the scramble to identify where organizations were vulnerable and how to apply patches,” he wrote.
Back in April 2014, the Heartbleed vulnerability was discovered in widely used versions of the OpenSSL library.