It seems that ever since the Heartbleed bug was published earlier this Spring, OpenSSL just hasn't been able to catch a break. Today, it was announced that seven additional vulnerabilities had been discovered affecting OpenSSL 0.9.8, 1.0.0, 1.0.1, and 1.0.2 (meaning all versions, basically).

At least one of the bugs, a man-in-the-middle attack referred to as CCS injection (detailed here and here), has been dubbed "serious" by the team. Updated versions of OpenSSL have been published today patching these vulnerabilities, including new versions of OpenSSL 0.9.8, 1.0.0, and 1.0.1. The 1.0.2 beta release has not been updated and is still currently vulnerable.

Anyone running an affected version is advised to upgrade as soon as possible, though that's probably self-explanatory at this point.

OpenSSL via CloudFare

David Ruddock
David's phone is whatever is currently sitting on his desk. He is an avid writer, and enjoys playing devil's advocate in editorials, and reviewing the latest phones and gadgets. He also doesn't usually write such boring sentences.

  • Matt

    Are my passwords safe or do I have to go to like 40 sites and change them again?

    • Sir_Brizz

      Your passwords could only have been taken via a man in the middle attack, so not likely.

    • KelsQualeymit

      Eva . I can see what your saying... Robert `s comment
      is surprising, last thursday I bought themselves a Infiniti from making $7905
      this - 4 weeks past and-also, ten-k last month . with-out a doubt this is the
      easiest-work Ive ever done . I began this 8-months ago and right away started
      to earn minimum $82 per/hr . official website R­e­x­1­0­.­C­O­M­

  • mgamerz

    Impending OSX update for me...

  • Miguel Ripoll

    This shit is becoming serius. All companies should stop using the libray if they don't contribute to it.

  • Jeremy Martin

    RHEL and Oracle already have the patches queued up and ready for users to update.

  • Matthew Fry

    Glad to see this extremely prevalent technology getting more solid.

  • Sir_Brizz

    Only one of these vulnerabilities is that serious. Almost nobody uses DTLS (definitely not on Android) which knocks four of them out. One of them has to do with an OpenSSL flag that is essentially never enabled (has to be explicitly enabled), so that is out.

    The last one is a MITM that requires both a compromised client AND a compromised server. While serious, it doesn't seem like a huge concern as sysadmins patch up servers. It also only affects one server version (1.0.1) and updates are available for every distro.

    Your chances of this affecting you are next to nothing. This isn't even in the same galactic neighborhood as Heartbleed on the severity scale.

    • http://www.androidpolice.com/ Artem Russakovskii

      I meant the fallout in the "Heartbleed happened, and now all these other vulnerabilities are coming to light thanks to that and the security checks being done to the code because of Hearbleed."

      • Sir_Brizz

        Oh I wasn't necessarily saying you wrote anything wrong. I was just trying to clarify the issues so people won't freak out 😁

  • http://www.youtube.com/crisr82 Kristian Ivanov

    Upgrade as soon as possible -> IF whoever made your device allows you to

  • black

    This is great news. Patch, patch, patch! ^_^