Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- OpenSSL Security Advisory [9 Jul 2015]
- =======================================
- Alternative chains certificate forgery (CVE-2015-1793)
- ======================================================
- Severity: High
- During certificate verification, OpenSSL (starting from version 1.0.1n and
- 1.0.2b) will attempt to find an alternative certificate chain if the first
- attempt to build such a chain fails. An error in the implementation of this
- logic can mean that an attacker could cause certain checks on untrusted
- certificates to be bypassed, such as the CA flag, enabling them to use a valid
- leaf certificate to act as a CA and "issue" an invalid certificate.
- This issue will impact any application that verifies certificates including
- SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.
- This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.
- OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d
- OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p
- This issue was reported to OpenSSL on 24th June 2015 by Adam Langley/David
- Benjamin (Google/BoringSSL). The fix was developed by the BoringSSL project.
- Note
- ====
- As per our previous announcements and our Release Strategy
- (https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions
- 1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these
- releases will be provided after that date. Users of these releases are advised
- to upgrade.
- References
- ==========
- URL for this Security Advisory:
- https://www.openssl.org/news/secadv_20150709.txt
- Note: the online version of the advisory may be updated with additional
- details over time.
- For details of OpenSSL severity classifications please see:
- https://www.openssl.org/about/secpolicy.html
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement