Home Services Partners Company
Staying Secure With the OpenSSL 1.0.2f Update

Staying Secure With the OpenSSL 1.0.2f Update

March 31, 2016 0 Comments

Hackers never sleep, so managing data security and mitigating risk is of paramount concern for our team at Progress. Here’s how to stay secure with OpenSSL 1.0.2f.

Progress DataDirect enables connectivity between a LOT of different data sources and applications, both on-premise and in the cloud. Besides addressing the critical and obvious needs of performance and ease of use for our customers, we’re always working in the background to ensure security requirements are met and any new vulnerabilities are quickly addressed.

Recently All ODBC Products Were Updated to OpenSSL 1.0.2f 

This addresses the following issues:

  • Provides stronger cryptographic assurance against the "Logjam" vulnerability (CVE-2015-4000)
  • Fixes the "DH small subgroups" vulnerability (CVE-2016-0701)
  • Fixes the "SSLv2 doesn't block disabled ciphers" vulnerability (CVE-2015-3197)
  • Fixes the "BN_mod_exp may produce incorrect results on x86_64" vulnerability (CVE-2015-3193)
  • Fixes the "Certificate verify crash with missing PSS parameter" vulnerability (CVE-2015-3194)
  • Fixes the "X509_ATTRIBUTE memory leak" vulnerability (CVE-2015-3195)

We don’t advertise every security fix we do in a blog posting like this, but I felt this was a good opportunity to let you know about our security vulnerability response policy. Upon identification of any security vulnerability that would impact one or more Progress product(s), Progress will exercise commercially reasonable efforts to address the vulnerability in accordance with the following guidelines:

Security Vulnerability Response Policy

Priority* Time Guideline Version(s)
High Risk
(CVSS 8+ or industry equivalent)
30 days Active (i.e. latest shipping version) and all Supported versions
Medium Risk
(CVSS 5-to-8 or industry equivalent)
180 days Active (i.e. latest shipping version)
Low Risk
(CVSS 0-to-5 or industry equivalent)
Next major release or best effort Active (i.e. latest shipping version)

* Priority is established based on the current version of the Common Vulnerability Scoring System (CVSS), an open industry standard for assessing the severity of computer system security vulnerabilities. For additional information on this scoring system, refer to https://en.wikipedia.org/wiki/CVSS.

Your Information Is Secure

So, while you enjoy our products for your data and application integration needs, you can also be confident your information is secure both now and in the future.

If you would like to learn more about the broad range of security issues and how to avoid them, Sven Skoog goes through the history of data security and provides insight on current issues in his blog, “How to Avoid Security Issues in Your Data Connectivity Layer.”

Mike Johnson

Mike Johnson

Mike is a proven leader with over 20 years of experience in developing commercial software for the industry leader in standards-based data access software. He has extensive experience in all aspects of commercial software development including requirements analysis, developing functional requirements, developing and mentoring individuals, staffing, budgeting, product development, quality assurance, training and customer communication. Mike has progressed in his career in large part from his strong work ethic and a “do whatever it takes” attitude.

Read next Configuring Cipher Suite in OpenAccess SDK—ADO.NET Client
Comments are disabled in preview mode.