OpenSSL, one of the most widely used encryption libraries in the world, has just released three security updates. These updates cover the two current open-source versions that the organization supports for everyone, plus the “old” 1.0.2-version series, where updates are only available to customers who pay for premium support. The versions you want to see after updating are OpenSSL 3.0 series, which will be updated to version 3.0.8; OpenSSL 1.1.1 series, which will be updated to version 1.1.1t; and OpenSSL 1.0.2 series, which will be updated to version 1.0.2zg.
The reason for the odd version names (such as 1.0.2zg) is because the OpenSSL project used to have four-part version identifiers, with the trailing letter acting as a counter that could support 26 sub-versions. However, this turned out not to be enough, leading to the confusion with version names. The OpenSSL team eventually adopted the popular three-number versioning system, which is why the current version series is 3.0 and the sub-version is 8.
Eight bug fixes were included in the update, and seven of them were caused by memory mismanagement. OpenSSL, like OpenSSH, is written in C, which means that memory allocation and deallocation typically involves a lot of manual work. Experienced programmers can sometimes forget to match their memory allocation and deallocation calls, or lose track of which memory buffers belong to what parts of their program. The memory-related bugs include issues such as X.400 address type confusion in X.509 GeneralName, use-after-free following BIO_new_NDEF, double free after calling PEM_read_bio_ex, X.509 Name Constraints read buffer overflow, invalid pointer dereference in d2i_PKCS7 functions, NULL dereference validating DSA public key, and NULL dereference during PKCS7 data verification.
A NULL dereference occurs when you try to treat the number 0 as a memory address. This often indicates an incorrectly initialized storage variable because zero is never considered a valid place to store data. There is no way to recover from this kind of mistake, as it is impossible to guess what was intended.
To protect yourself against these bugs, it is important to update to the latest versions of OpenSSL as soon as possible. If you are still using the old 1.0.2 series, it is recommended to upgrade to a more recent version, as the 1.0.2 series is no longer actively supported by OpenSSL. Updating to the latest version will ensure that your encryption is secure and that your data is protected from potential data-stealing bugs.