OpenSSL Security Updates – Severity: High
Update: June 13th 2019 – Remember the OpenSSL project has a budget of less than one million USD per year and relies primarily on donations. With this in mind, it’s very important that you keep tabs on OpenSSL news and the OpenSSL newslog, and be sure to upgrade anytime there is a new release.
A new set of security updates for OpenSSL were just released this morning to address various security vulnerabilities, some of which are considered to be “high” severity. Please update as soon as possible. To update keep an eye open for Linux distro updates via package managers such as yum, apt-get, etc. Control panel updates for cPanel and others will be released over the next few days.
Official OpenSSL update: https://openssl.org/news/secadv_20150319.txt
The main bug is a denial-of-service condition that affects only version 1.0.2. OpenSSL also re-categorized the FREAK vulnerability as high. This bug, allows an attacker to downgrade crypto on a server to 512 bits, intercept encrypted traffic, and decrypt it. OpenSSL was notified Oct. 22 about FREAK, which stands for Factoring Related Attack on RSA Keys. There are a dozen other vulnerabilities (nine ranked moderate, and three low) in older versions that were also patched today.