Security News

OpenSSL 1.1.1 goes to version 1.1.1s, and patches one listed security-related bug, but this bug doesn't have a security rating or an official CVE number. OpenSSL 3.0 goes to version 3.0.7, and patches not one but two CVE-numbered security bugs that are official designated at HIGH severity.

Version 3.0.7 of the popular OpenSSL cryptographic library is out, with fixes for CVE-2022-3602 and CVE-2022-3786, two high-severity buffer overflow vulnerabilities in the punycode decoder that could lead to crashes or potentially remote code execution. After its disclosure to the OpenSSL Project team, OpenSSL committer Viktor Dukhovni found "a second independently triggerable issue" - CVE-2022-3786.

The OpenSSL Project has patched two high-severity security flaws in its open-source cryptographic library used to encrypt communication channels and HTTPS connections. The vulnerabilities affect OpenSSL version 3.0.0 and later and have been addressed in OpenSSL 3.0.7.

The OpenSSL project has rolled out fixes to contain two high-severity flaws in its widely used cryptography library that could result in a denial-of-service and remote code execution. It's worth noting that the commonly deployed OpenSSL 1.x versions are not vulnerable.

Incoming OpenSSL critical fix: Organizations, users, get ready!The OpenSSL Project team has announced that, on November 1, 2022, they will release OpenSSL version 3.0.7, which will fix a critical vulnerability in the popular open-source cryptographic library. Apple fixes exploited iOS, iPadOS zero-dayFor the ninth time this year, Apple has released fixes for a zero-day vulnerability exploited by attackers to compromise iPhones.

The OpenSSL Project team has announced that, on November 1, 2022, they will release OpenSSL version 3.0.7, which will fix a critical vulnerability in the popular open-source cryptographic library.According to the team's own risk classification, critical vulnerabilities in OpenSSL are those that affect common configurations and are likely to be exploitable.

DOUG. A brief history of Office macros, a Log4Shell style bug, two OpenSSL crypto bugs, and more. DUCK. If you have a Windows network where you can use Group Policy, for example, then as an administrator you can turn this function on to say, "As a company, we just don't want macros off the internet. We're not going to even offer you a button that you can say, Why not? Why not let the macros run?".

Heartbleed can probably be considered a prime early example of what Naked Security jokingly refer to as the BWAIN process, short for Bug With An Impressive Name. We don't think these latest bugs reach that level of exploitability or immediate danger.

The maintainers of the OpenSSL project have released patches to address a high-severity bug in the cryptographic library that could potentially lead to remote code execution under certain scenarios. The issue, now assigned the identifier CVE-2022-2274, has been described as a case of heap memory corruption with RSA private key operation that was introduced in OpenSSL version 3.0.4 released on June 21, 2022.

The latest version of the OpenSSL library has been discovered as susceptible to a remote memory-corruption vulnerability on select systems. OpenSSL 1.1.1 as well as OpenSSL forks BoringSSL and LibreSSL are not affected.