Third times a charm…
Or so they say.
The OpenSource encryption library OpenSSL had its third “major” security vulnerability, which was fixed with a patch available as of November 1, 2022. As per CVE-2022-3786 and CVE-2022-3602 the security vulnerability constitute X.509 email address buffer overflows.
8 years ago it was Heartbleed. This security vulnerability was found and fixed in April 2014. It had been introduced, however, more than 2 years prior on 31 of December 2011 shortly before midnight. The story behind that vulnerability is worthy of a limited TV show.
In spring 2016, researchers found OpenSSL to be vulnerable to a Padding-Oracle attack, which could take an entire system down.
Whether it is only 3 major security vulnerabilities, depends on how you count and what you count as severe or critical. OpenSSL had many vulnerabilities, which were either fixed or there was a mitigation.
The good news is that the OpenSSL developer community is quick to provide fixes and/or analyse the security vulnerability to suggest a mitigation at least.
What was different this time, however, was that the security vulnerability was announced with the fix due in 5 days from its announcement. And the date for releasing the fix, Nov 1, 2022, was a Catholic Holiday in many countries.