Tag Archive for: highseverity

OpenSSL fixes two high-severity crypto bugs – Naked Security


We’re sure you’ve heard of OpenSSL, and even if you aren’t a coder yourself, you’ve almost certainly used it.

OpenSSL is one of the most popular open-source cryptography libraries out there, and lots of well-known products rely on it, especially on Linux, which doesn’t have a standard, built-in encryption toolkit of its own.

Even on Windows and macOS, which do have encryption toolkits built into their distributions, you may have software installed that includes and uses OpenSSL instead of the operating system’s standard cryptographic libraries.

As its name suggests, OpenSSL is very commonly used for supporting network-based encryption using TLS, which is the contemporary name for what used to be called SSL.

TLS, or transport layer security, is what puts the padlock into your browser, and it’s probably what encrypts your email in transit these days, along with protecting many other online communications initiated by your computer.

So, when an OpenSSL security advisory reports exploitable vulnerabilities in the software…

…it’s worth paying attention, and upgrading as soon as you can.

The latest patches, which came out in OpenSSL 1.1.1k on 2021-03-25, fix two high-severity bugs that you should definitely know about:

  • CVE-2021-3449: Crash can be provoked when connecting to a vulnerable server.
  • CVE-2012-3450: Vulnerable client can be tricked into accepting a bogus TLS certificate.