An update to the widely used OpenSSL crypto library will come out Thursday, July 9th. The new versions of OpenSSL, versions 1.0.2d and 1.0.1p, address a single security vulnerability classified as “high severity,” the OpenSSL Project Team announced on Monday. There aren’t many more details about the mystery security vulnerability available yet, except for the fact that the security vulnerability doesn’t affect the 1.0.0 or 0.9.8 series.
“The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2d and 1.0.1p,” developer Mark J Cox announced in a mailing list note published yesterday.”
“These releases will be made available on 9th July. They will fix a single security defect classified as ‘high’ severity. This defect does not affect the 1.0.0 or 0.9.8 releases.”
The announcement of the new variants of OpenSSL was made in the concisest fashion possible, to prevent cyber attackers from exploiting the hole before the fix is released to the public.
Some security experts have speculated that this high severity bug could be another Heartbleed or POODLE bug that were considered to be the worst TLS/SSL vulnerabilities still believed to be affecting websites on Internet today.
What does this mean for FileMaker Users?
It looks like this vulnerability affects FileMaker Versions 13 and 14, as the files state they are running OpenSSL 1.0.1i. FileMaker 12 is in the 1.0.0 series and FileMaker 11 is in the 0.9.8 series, so those versions should be okay. We will, of course, have to wait for FileMaker to make a formal announcement regarding any update, but in the meantime, keep it on your radar!
Heartbleed, discovered in April last year, was a bug in an earlier version of OpenSSL that allowed hackers to read sensitive contents of victims’ encrypted data, including credit card details and even steal crypto SSL keys from Internet servers or client software.
Months later, another critical flaw known as POODLE – Padding Oracle On Downgraded Legacy Encryption – was unearthed in the decade old but widely used SSL 3.0 cryptographic protocol that allowed attackers to decrypt the contents of encrypted connections.
However, a bunch of high severity vulnerabilities were fixed in March this year, which included denial-of-service (DoS) flaw (CVE-2015-0291) that allowed attackers to crash online services, and FREAK (CVE-2015-0204) that allowed attackers to force clients to use weaker encryption.
- Tue, Jul 7th, 07:31