[CentOS] Openssl security patch

Thu Jul 9 14:09:03 UTC 2015
Patrick Hurrelmann <patrick.hurrelmann at lobster.de>

On 09.07.2015 16:03, Robert Wolfe wrote:
> To wit:
>
> OpenSSL Security Advisory [9 Jul 2015]
> =======================================
>
> Alternative chains certificate forgery (CVE-2015-1793)
> ======================================================
>
> Severity: High
>
> During certificate verification, OpenSSL (starting from version 1.0.1n and
> 1.0.2b) will attempt to find an alternative certificate chain if the first
> attempt to build such a chain fails. An error in the implementation of this
> logic can mean that an attacker could cause certain checks on untrusted
> certificates to be bypassed, such as the CA flag, enabling them to use a valid
> leaf certificate to act as a CA and "issue" an invalid certificate.
>
> This issue will impact any application that verifies certificates including
> SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.
>
> This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.
>
> OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d
> OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p
>
> This issue was reported to OpenSSL on 24th June 2015 by Adam Langley/David
> Benjamin (Google/BoringSSL). The fix was developed by the BoringSSL project.
>
> Note
> ====
>
> As per our previous announcements and our Release Strategy
> (https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions
> 1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these
> releases will be provided after that date. Users of these releases are advised
> to upgrade.
>
> References
> ==========
>
> URL for this Security Advisory:
> https://www.openssl.org/news/secadv_20150709.txt
>
> Note: the online version of the advisory may be updated with additional
> details over time.
>
> For details of OpenSSL severity classifications please see:
> https://www.openssl.org/about/secpolicy.html
>
> -----Original Message-----
> From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of Valeri Galtsev
> Sent: Thursday, July 09, 2015 8:53 AM
> To: CentOS mailing list
> Subject: [CentOS] Openssl security patch
>
> Just heads up everybody,
>
> there is new security patch of openssl:
>
> https://www.openssl.org/news/
>
> so we can expect patched openssl from upstream vendor shortly.
>
> Valeri
>
> ++++++++++++++++++++++++++++++++++++++++
> Valeri Galtsev
> Sr System Administrator
> Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago
> Phone: 773-702-4247
> ++++++++++++++++++++++++++++++++++++++++
>
And according to Redhat (BZ#1238619):

Not vulnerable. This issue does not affect any version of the OpenSSL package as
shipped
with Red Hat Enterprise Linux 4, 5, 6 and 7, JBoss Enterprise Application
Platform 6, and
JBoss Enterprise Web Server 1 and 2 because they did not include support for
alternative
certificate chains.

-- 
Lobster SCM GmbH, Hindenburgstraße 15, D-82343 Pöcking
HRB 178831, Amtsgericht München
Geschäftsführer: Dr. Martin Fischer, Rolf Henrich