The latest batch of OpenSSL security patches were released today, with a pair of high-severity flaws and four low-severity issues addressed in OpenSSL 1.0.1t and OpenSSL 1.0.2h. One of the high-severity flaws, CVE-2016-2107, opens the door to a padding oracle attack that can allow for the decryption of traffic if the connection uses an AES CBC...

Mike Mimoso and Chris Brook recap RSA 2016, including how pervasive the FBI vs. Apple debate has been around the conference, OpenSSL two years after Heartbleed, and why hacking back is always a bad idea. Download: Threatpost_News_Wrap_March_4_2016.mp3 Music by Chris Gonsalves

SAN FRANCISCO—Experts have stressed this week that DROWN is no Heartbleed, but at some point in the not too distant future, there’s going to be another major Internet vulnerability and developers at OpenSSL claim they’re battle tested. Rich Salz and Tim Hudson, members of OpenSSL’s development team, described in a talk at RSA Conference this week...

Calls for encryption backdoors that date back to the 1990s are coming back to haunt the industry 20 years later with DROWN, security experts say. The flaw that researchers found with DROWN center around the fact that during the so called Crypto Wars of the 1990s President Bill Clinton’s administration insisted that US government have...

Researchers revealed a massive transport layer security (TLS) vulnerability today that leaves millions of Internet users vulnerable to an attack that could expose passwords, credit card numbers and financial data. OpenSSL and others are urging companies to patch their web servers or risk exposure to the so-called DROWN attack that can decrypt Internet traffic and leave...

The OpenSSL project team today patched two vulnerabilities in the crypto library, one of which is rated high severity and exposes many popular applications to attack. The patches are in new releases of OpenSSL, 1.0.1r and 1.0.2f, along with an enhancement to the strength of the cryptography in a previous mitigation for last year’s Logjam...

OpenSSL is scheduled to update two versions of the software this week, patching a pair of vulnerabilities in the process. The OpenSSL project this morning said the updates will move users to versions 1.0.2f and 1.0.1r and should be available Thursday between 8 a.m. and noon Eastern time. “They will fix two security defects, one of...