I have a fair understanding of OpenSSL's method, but not so much with its actual gears and pulleys. I always keep some clients I use updated with the current libraries: libeay32.dll and ssleay32.dl, now at 1.0.2h / 1.0.2.8. Having no control, of course, on what's used on the server side "out there," I wonder if that does some good or none at all??
I didn't check but usually some vulnerabilities affect client side as well. The big browsers don't use OpenSSL, but some others do, QupZilla for example. Also quite a few other softwares on Windows bundle OpenSSL files in their program files folders and don't update them properly. Search your computer for ssleay*.dll and libeay*.dll to find out.
That's what I pondered in my post #26 above. I've just been replacing the two dlls on my systems for years in the age-old trusted "it can't hurt" strategy. As well, I don't believe they'd be releasing client-side libraries for no reason.
I can tell you that my Debian systems all updated OpnSSL today. There were some high risk changes that were addressed.
Pre-announcement for the upcoming OpenSSL releases for 02 Nov 2017. https://mta.openssl.org/pipermail/openssl-announce/2017-October/000104.html
That Google fuzzer is a pretty awesome piece of kit, it tests programs with trillions of inputs, to see if any of them cause an unexpected response.
May I please "revive" this thread. OpenSSL Site https://www.openssl.org/ News https://www.openssl.org/news/ Newslog https://www.openssl.org/news/newslog.html Latest Security Advisory at the moment: 10 September 2019 https://www.openssl.org/news/secadv/20190910.txt
I would like to point to the OpenSSL blog post from 07 Nov 2019 : Update on 3.0 Development, FIPS and 1.0.2 EOL https://www.openssl.org/blog/blog/2019/11/07/3.0-update/ IMHO a must read for developers, in particular for those who are using the 1.0.2 version. (emphasis by me) There is a lot more in that blog post.
For those developers still using the 1.0.2 branch : Version 1.0.2u is available. https://www.openssl.org/news/vulnerabilities.html https://www.openssl.org/news/cl102.txt Read more at those links. Once again I would like to point to the EOL of the 1.0.2 branch at the end of 2019
Long Read: QUIC and OpenSSL - Feb 17th, 2020 https://www.openssl.org/blog/blog/2020/02/17/QUIC-and-OpenSSL/