[openssl-commits] [web] master update

Matt Caswell matt at openssl.org
Thu Jul 9 12:48:14 UTC 2015


The branch master has been updated
       via  b50b8b11e61183e44d0bb521d5512416fbc261c7 (commit)
      from  0dd8b2ab306a6b93e4901b0eb7f787edcd4a7199 (commit)


- Log -----------------------------------------------------------------
commit b50b8b11e61183e44d0bb521d5512416fbc261c7
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Jul 9 13:48:04 2015 +0100

    Add security advisory

-----------------------------------------------------------------------

Summary of changes:
 news/secadv_20150709.txt | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)
 create mode 100644 news/secadv_20150709.txt

diff --git a/news/secadv_20150709.txt b/news/secadv_20150709.txt
new file mode 100644
index 0000000..f7cc8eb
--- /dev/null
+++ b/news/secadv_20150709.txt
@@ -0,0 +1,47 @@
+OpenSSL Security Advisory [9 Jul 2015]
+=======================================
+
+Alternative chains certificate forgery (CVE-2015-1793)
+======================================================
+
+Severity: High
+
+During certificate verification, OpenSSL (starting from version 1.0.1n and
+1.0.2b) will attempt to find an alternative certificate chain if the first
+attempt to build such a chain fails. An error in the implementation of this
+logic can mean that an attacker could cause certain checks on untrusted
+certificates to be bypassed, such as the CA flag, enabling them to use a valid
+leaf certificate to act as a CA and "issue" an invalid certificate.
+
+This issue will impact any application that verifies certificates including
+SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.
+
+This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.
+
+OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d
+OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p
+
+This issue was reported to OpenSSL on 24th June 2015 by Adam Langley/David
+Benjamin (Google/BoringSSL). The fix was developed by the BoringSSL project.
+
+Note
+====
+
+As per our previous announcements and our Release Strategy
+(https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions
+1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these
+releases will be provided after that date. Users of these releases are advised
+to upgrade.
+
+References
+==========
+
+URL for this Security Advisory:
+https://www.openssl.org/news/secadv_20150709.txt
+
+Note: the online version of the advisory may be updated with additional
+details over time.
+
+For details of OpenSSL severity classifications please see:
+https://www.openssl.org/about/secpolicy.html
+


More information about the openssl-commits mailing list