New OpenSSL bugs dodge the Heartbleed bullet


OpenSSL's frantic move to fix certain vulnerabilities in the protocol wasn't to prevent the next Heartbleed despite the fact that it labelled two problems as "high severity".

The project team behind OpenSSL released the update on Thursday. It brings with it patches for 14 different bugs, including two that are most worrying with the labels CVE-2015-0291 and CVE-2015-0204.

The CVE-2014-0204 is commonly known as the FREAK vulnerability whereas the other one (CVE-2015-0291) could conceivably be used the carry out a denial of service attack, according to OpenSSL.

Stanford University student David Ramos discovered the bugs on February 26 and Ken Westin, senior security analyst at Tripwire, thinks the security community "dodged a bullet" in relation to the new vulnerabilities being a new Heartbleed.

Upgrade now!

Heartbleed was first discovered a little over a year after lying undiscovered for over two years. That vulnerability allowed attackers to read up to 64KB of the host's memory before repeating it to read more RAM.

Now it seems the security boffins are on high alert. When the bugs were first outed by OpenSSL just last week, the doom-mongers were already looking to it as a new Heartbleed thanks to OpenSSL's decision to tag it as "high severity".

As for the other 12 bugs, all of them are rated as "moderate" or "low". Even so, OpenSSL is advising anyone still running the older versions of the protocol (1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf) to upgrade to newer versions immediately.