Security News > 2021 > March > OpenSSL 1.1.1k Patches Two High-Severity Vulnerabilities

OpenSSL 1.1.1k Patches Two High-Severity Vulnerabilities
2021-03-25 15:16

The OpenSSL Project on Thursday announced the release of version 1.1.1k, which patches two high-severity vulnerabilities, including one related to verifying a certificate chain and one that can lead to a server crash.

"Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates," the OpenSSL Project explained in its advisory.

Some companies have already started informing their customers about these OpenSSL vulnerabilities.

OpenSSL has come a long way in terms of security since the disclosure of the Heartbleed vulnerability back in 2014.

Only three vulnerabilities were fixed in 2020, and only two of those were rated high severity.

No high-severity issues were patched in OpenSSL in 2018 and 2019.


News URL

http://feedproxy.google.com/~r/Securityweek/~3/wPyZH40Qjpg/openssl-111k-patches-two-high-severity-vulnerabilities

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Openssl 2 12 92 51 16 171