Another Heartbleed? OpenSSL to get fix for 'high severity security defect'

Patch due on Thursday - brace yourselves

OpenSSL - the open source implementation of SSL and TLS cryptographic protocols - is to receive a new version of its crypto library on Thursday 9 July in order to fix a mystery security problem the OpenSSL Project has labelled "high severity".

The bug apparently only affects versions 1.02.d and 10.0.1p of the software, but nothing lower - 1.0.0 and 0.9.8 are apparently unaffected.

The information was released by core OpenSSL team member Mark J Cox in an email yesterday, saying: "These releases will be made available on 9 July. They will fix a single security defect classified as high severity."

The exact nature of the security vulnerability is being kept under wraps, presumably to minimise the risk of malicious agents taking advantage of the flaw and launching zero-day attacks.

OpenSSL was hit by the Heartbleed bug earlier in 2015, so there is naturally trepidation in the IT community as to exactly what Cox means by "high severity" in this particular case.

Heartbleed enabled "anyone on the internet" to easily read the memory of systems affected by the vulnerable versions of OpenSSL. Hundreds of thousands of systems were affected.

IT security specialist Graham Cluley said on his blog today:

"Fingers crossed, this new vulnerability in OpenSSL won't be anything like as serious as Heartbleed - but the grading of it as 'high severity' means that it could open the door to various threats: ranging from fairly tame denial-of-service attacks to rather unpleasant remote code execution."

In other words, the security vulnerability could be anything from run-of-the-mill DDoS to another Heartbleed. Computing advises all who may feel they might be affected to keep a keen eye out for the patch on Thursday.