What is OpenSSL?
OpenSSL is a general purpose cryptography library that implements a cryptographic security protocol called TLS/SSL, and puts the “S” in HTTPS for many websites.
Hackers can lure or misdirect a user to a bogus website/ email server, and any other internet service using TLS/SSL for its secure communication so as to trick the user into thinking that they are somewhere legitimate and secure.
Effects of the bug
A hacker may be able to create a certificate in someone else’s name, and then to sneak it past OpenSSL’s certificate verifcation process without triggering a warning, even though the certificate isn’t signed by a trusted CA.
How big is the risk?
Four OpenSSL versions are affected:
• Versions 1.0.2b and 1.0.2c need updating to 1.0.2d. (The -a sub-version is immune.)
• Versions 1.0.1n and 1.0.1o need updating to 1.0.1p. (Sub-versions up to and including -n are immune.)
• All 0.9.8 versions are immune.
• All 1..0 versions are immune.
What to do?
If you are using any of the above OpenSSL versions you need to update.