The developers of OpenSSL will roll out a new version on Thursday, which should solve one or more serious security problems. Last year, OpenSSL already suffered from a major leak, which meant that the internal memory of servers could be read.
It is not known what kind of leak or leaks are involved; In the release announcement, OpenSSL developer Matt Caswell merely states that one or more vulnerabilities are rated ‘severe’. That classification is reserved for vulnerabilities that are likely to be exploited. This may concern, for example, a denial of service, the execution of code or the reading of data from the memory.
The bug can affect both servers and end users. OpenSSL is often used by servers to provide ssl/tls connections, but some browsers and end-user operating systems also use the ssl library. Below that are the necessary Linux distributions. Google used OpenSSL in Chrome OS and Android until last year, but has now forked the software into its own version. However, it is based on OpenSSL code, so the vulnerability could still be present on those systems.
Last year a major bug in OpenSSL came to light. The Heartbleed bug made it possible to read out part of the internal memory of servers and clients with OpenSSL. The bug unleashed a storm of criticism against OpenSSL, which is said to have been poorly maintained; Google and OpenBSD decided to fork the software. Incidentally, vulnerabilities were also found in other SSL implementations last year.