The OpenSSL Project team has announced that, on November 1, 2022, they will release OpenSSL version 3.0.7, which will fix a critical vulnerability in the popular open-source cryptographic library.
According to the team’s own risk classification, critical vulnerabilities in OpenSSL are those that affect common configurations and are likely to be exploitable.
Why does the OpenSSL Project team preannounce the release of security fixes?
OpenSSL is included in many operating systems; client-side software; web and email server software; network appliances, industrial control systems, and so on.
With all this in mind, the OpenSSL team usually preannounces security fixes via its site and its mailing list, but also notifies directly organizations that produce a general purpose OS that uses OpenSSL, maintainers of popular open source projects that are derived from OpenSSL, and organizations with which the project has a commercial relationship.
No details have been shared with the public about the vulnerability and, according to OpenSSL core team member Mark J. Cox, attackers are unlikely to ferret out the vulnerability before the fixed version is widely deployed.