Preparing now for expected OpenSSL patches
This information was sent via email to the U-M IT Security Community on March 18, 2015.
Updates to versions of OpenSSL (Secure Sockets Layer) are expected on March 19 to address newly discovered vulnerabilities. The OpenSSL team has not yet provided information about the vulnerabilities, but has announced that one of them is classified as "high" severity.
IIA is monitoring the situation and expects to issue an alert that instructs those responsible for U-M systems running OpenSSL to update to the new versions. Here are our current recommendations:
- Review the versions of OpenSSL you are running to determine if your systems will be affected.
- Begin planning for the work of doing the upgrades.
- Review the references and other information below.
Summary
The OpenSSL project team has announced that OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf will be released on March 19. The new releases will fix a number of security defects, one of which is classified as “high” severity.
Threats
Information is not yet available.
Affected Systems
Systems running OpenSSL.
Information for Users
There is no immediate recommendation for users with regard to the OpenSSL vulnerabilities.
In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Spam, Phishing, and Suspicious Email, Instructions for Securing Your Devices and Data, and Use a Secure Internet Connection.
References
- OpenSSL team warns of major vulnerability (bit-tech)
- OpenSSL to Patch High Severity Vulnerability this Week (The Hacker News)
- OpenSSL mystery patches due for release Thursday (PC World)
- To prevent another Heartbleed, severe OpenSSL flaw to be patched (ZDNet)
- OpenSSL announced fix for mystery high critical vulnerability (Security Affairs)