[openssl-users] [openssl-announce] OpenSSL Security Advisory
jb-openssl at wisemo.com
Thu Jul 9 21:46:45 UTC 2015
On 09/07/2015 15:10, OpenSSL wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> OpenSSL Security Advisory [9 Jul 2015]
> Alternative chains certificate forgery (CVE-2015-1793)
> Severity: High
> During certificate verification, OpenSSL (starting from version 1.0.1n and
> 1.0.2b) will attempt to find an alternative certificate chain if the first
> attempt to build such a chain fails. An error in the implementation of this
> logic can mean that an attacker could cause certain checks on untrusted
> certificates to be bypassed, such as the CA flag, enabling them to use a valid
> leaf certificate to act as a CA and "issue" an invalid certificate.
Why was this introduced in a patch release? I thought
improved chain building was a new feature, and thus
delineated by a library version number such as 1.0.2or
1.0.3. In fact, I thought that was the reason we all
had to wait ages before this long standing shortcoming
> This issue will impact any application that verifies certificates including
> SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.
Does this vulnerability also affect applications that
use OpenSSL or the openssl command line to handle S/MIME
or other CMS messages?
For example, the mail client mutt handles S/MIME by
invoking the openssl command line via macros in the
default configuration file.
Sorry for first trying to send to -announce, MUA must
have ignored the Reply-To.
Jakob Bohm, CIO, Partner, WiseMo A/S.http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openssl-users