On 09.07.2015 16:03, Robert Wolfe wrote: > To wit: > > OpenSSL Security Advisory [9 Jul 2015] > ======================================= > > Alternative chains certificate forgery (CVE-2015-1793) > ====================================================== > > Severity: High > > During certificate verification, OpenSSL (starting from version 1.0.1n and > 1.0.2b) will attempt to find an alternative certificate chain if the first > attempt to build such a chain fails. An error in the implementation of this > logic can mean that an attacker could cause certain checks on untrusted > certificates to be bypassed, such as the CA flag, enabling them to use a valid > leaf certificate to act as a CA and "issue" an invalid certificate. > > This issue will impact any application that verifies certificates including > SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication. > > This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o. > > OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d > OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p > > This issue was reported to OpenSSL on 24th June 2015 by Adam Langley/David > Benjamin (Google/BoringSSL). The fix was developed by the BoringSSL project. > > Note > ==== > > As per our previous announcements and our Release Strategy > (https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions > 1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these > releases will be provided after that date. Users of these releases are advised > to upgrade. > > References > ========== > > URL for this Security Advisory: > https://www.openssl.org/news/secadv_20150709.txt > > Note: the online version of the advisory may be updated with additional > details over time. > > For details of OpenSSL severity classifications please see: > https://www.openssl.org/about/secpolicy.html > > -----Original Message----- > From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of Valeri Galtsev > Sent: Thursday, July 09, 2015 8:53 AM > To: CentOS mailing list > Subject: [CentOS] Openssl security patch > > Just heads up everybody, > > there is new security patch of openssl: > > https://www.openssl.org/news/ > > so we can expect patched openssl from upstream vendor shortly. > > Valeri > > ++++++++++++++++++++++++++++++++++++++++ > Valeri Galtsev > Sr System Administrator > Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago > Phone: 773-702-4247 > ++++++++++++++++++++++++++++++++++++++++ > And according to Redhat (BZ#1238619): Not vulnerable. This issue does not affect any version of the OpenSSL package as shipped with Red Hat Enterprise Linux 4, 5, 6 and 7, JBoss Enterprise Application Platform 6, and JBoss Enterprise Web Server 1 and 2 because they did not include support for alternative certificate chains. -- Lobster SCM GmbH, Hindenburgstraße 15, D-82343 Pöcking HRB 178831, Amtsgericht München Geschäftsführer: Dr. Martin Fischer, Rolf Henrich