OpenSSL 1.0.2g and OpenSSL 1.0.1s are now available for download. These updates have been anticipated since they were announced on February 25, 2016, as they are termed critical and require updates as soon as possible.
These updates address several bug issues and some critical security fixes as well. The new versions of OpenSSL are available for immediate download as of March 1, 2016.
What is new in OpenSSL 1.0.2g and OpenSSL 1.0.1s?
Before we mention what is significant about these two updates it is good to know what the difference is. OpenSSL 1.0.2g is a long-term support release (LTS). The support is covered until December 31, 2019. As for OpenSSL 1.0.1s, this s simply a security and bug fix update. The end-of-life for this version is scheduled for December 31, 2016.
Both of these OpenSSL versions address a vulnerability in the SSLv2 and therefore it has disabled the SSLv2 protocol by default, as well as removed the SSLv2 EXPORT ciphers.
The use of SSLv2 has been discouraged for a while now in favor of TLS 1.2. The revelations that a new vulnerability has been discovered in the said protocol just goes to cement what has been common knowledge about the now weak SSL protocol. According to OpenSSL, a cross-protocol attack was discovered that could lead to decryption of TLS sessions by using a server supporting SSLv2 and EXPORT cipher suites. This issue can be avoided by having server administrators disable the SSLv2 protocol in all their SSL/TLS servers.
OpenSSL 1.0.2g and OpenSSL 1.0.1s will not build SSLv2 anymore unless explicitly expressed via enable-ssl2 . If built with SSLv2 again the user will have to explicitly enable SSLv2 so as to use it on their server.
Other types of bugs found and fixed include some that potentially allow DoS attacks, memory leaks or memory corruption. That also includes heap corruption issues. OpenSSL was plagued with a severe bug known as the Heartbleed bug. Heartbleed is a security a buffer over-read bug that was disclosed in April 2014 affecting the OpenSSL cryptography library and results from improper input validation on the client or server side.
OpenSSL strongly recommends all users to immediately update their existing deployments to OpenSSL 1.0.2g or OpenSSL 1.0.1s. You can get the downloads of these critical updates here. Updates can also be made directly from various platform distros.