OS X and another OpenSSL vulnerability

There is news tonight that OpenSSL versions 1.0.2d and 1.0.1p will shortly be released to fix a security hole of “high severity” – so highly severe that the vulnerability has not been disclosed, for fear of tipping the bad guys off.

However OS X Yosemite 10.10.4 currently runs OpenSSL version 0.9.8zf, from 19 March 2015, which is not vulnerable. So when you see dire warnings that OpenSSL users need to apply security patches, those should not apply to OS X.

It would otherwise be nice if OS X caught up a little: the official release of OpenSSL which is recommended will be 1.0.2d, replacing 1.0.2c, which is vulnerable. There have been quite a lot of changes made since 0.9.8zf, and maybe some of those will come in handy in the next few months, perhaps.

OpenSSL is responsible for SSL and TLS protocols, which provide secure network connections, so are very important; any vulnerabilities are very likely to be exploited by seriously bad people.