OpenSSL downgrades horror bug after week of panic, hype


OpenSSL today issued a fix for a critical-turned-high-severity vulnerability that project maintainers warned about last week.

After days of speculation, infosec professionals and armchair bug hunters received more of a trick than a treat on November 1: two CVE-tagged security issues, both rated “high” severity, to patch. One flaw was earlier rated “critical,” though it has now been downgraded as it will require a high degree of technical skill to exploit, if that’s even possible at all against a realistic target.

And now to be very clear: this isn’t a slam on the OpenSSL team. This drama isn’t their fault. Technically, the initially critical bug was arguably a critical issue as it’s a remote-code execution vulnerability albeit one that will be challenging to abuse.

Read more…
Source: The Register

Related story: OpenSSL Releases Security Update