While none of the flaws are as serious as Heartbleed, patching is recommended for all users according to an advisory released today. The vulnerabilities were found by various security research teams around the web including Google, Logmein and Codenomicom, based on their reports during June and July.
Among the more interesting fixes is one that involves a flaw in the Client Hello message process. If a Client Hello message is badly fragmented, it is vulnerable to a man in the middle attack that could be used to force the server to downgrade to the TLS 1.0 protocol, a 15-year-old and therefore pre-Heartbleed protocol variant.
Other reports include memory leaks caused by denial of service (DoS) attacks and crashes caused by attempts to free up the same portions of memory twice.
OpenSSL now has two full time coders as a result of the investment by a consortium of internet industry companies in the Core Infrastructure Initiative, a not for profit group administered by the Linux Foundation. The initiative was set up in the wake of discovery of the Heartbleed vulnerability, as the industry vowed to ensure such a large hole would never be left unplugged again.
While OpenSSL is used by a large number of encrypted websites, there are a number of forks of the project including LibreSSL and the recently launched Google BoringSSL.
Google recently announced that it will lower the page rankings of unencrypted pages in its search results as an added security measure. µ
Sign up for INQbot – a weekly roundup of the best from the INQ