The OpenSSL Project, a collaborative effort designed to develop an open source toolkit that implements SSL and TLS, has announced that it will be fixing a number of security flaws on Thursday, one of which it has labeled “high” severity. The initiative made the announcement in a message circulated yesterday. “The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf,” the message reads. “These releases will be made available on 19th March. They will fix a number of security defects. The highest severity defect fixed by these releases is classified as ‘high’ severity.” These security flaws, the details of which have been intentionally withheld in order to prevent attacks, mark the latest vulnerabilities to be discovered in a problematic year for the OpenSSL Project. In April of last year, OpenSSL made headlines with the discovery of the Heartbleed vulnerability, a security flaw that allows attackers to steal the security keys used for website encryption and decryption. More recently, it was discovered that OpenSSL was affected by the FREAK security flaw, a vulnerability which enables attackers to eavesdrop on communications transmitted on computers and mobile devices using Safari or Google browsers. Already, some observers are characterizing this latest “high” severity security flaw as the next Heartbleed. Taken together, Heartbleed, FREAK, and these new security flaws have called attention to other open-source projects besides OpenSSL, initiatives which Jeremy Kirk of ComputerWorld claim “have often suffered from neglect and been maintained by a handful of underpaid developers or volunteers for free.” A number of companies, including Cisco, Adobe, Google, and IBM, have therefore decided to fund the Core Infrastructure Initiative (CII), a multi-million dollar project designed to fund open source projects that are concerned with core computing functions. To learn more about the CII, please click here.
