To wit: OpenSSL Security Advisory [9 Jul 2015] ====================================== Alternative chains certificate forgery (CVE-2015-1793) ===================================================== Severity: High During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate. This issue will impact any application that verifies certificates including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication. This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o. OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p This issue was reported to OpenSSL on 24th June 2015 by Adam Langley/David Benjamin (Google/BoringSSL). The fix was developed by the BoringSSL project. Note === As per our previous announcements and our Release Strategy (https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions 1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these releases will be provided after that date. Users of these releases are advised to upgrade. References ========= URL for this Security Advisory: https://www.openssl.org/news/secadv_20150709.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/about/secpolicy.html -----Original Message----- From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of Valeri Galtsev Sent: Thursday, July 09, 2015 8:53 AM To: CentOS mailing list Subject: [CentOS] Openssl security patch Just heads up everybody, there is new security patch of openssl: https://www.openssl.org/news/ so we can expect patched openssl from upstream vendor shortly. Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++ _______________________________________________ CentOS mailing list CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos
On 09.07.2015 16:03, Robert Wolfe wrote:> To wit: > > OpenSSL Security Advisory [9 Jul 2015] > ======================================> > Alternative chains certificate forgery (CVE-2015-1793) > =====================================================> > Severity: High > > During certificate verification, OpenSSL (starting from version 1.0.1n and > 1.0.2b) will attempt to find an alternative certificate chain if the first > attempt to build such a chain fails. An error in the implementation of this > logic can mean that an attacker could cause certain checks on untrusted > certificates to be bypassed, such as the CA flag, enabling them to use a valid > leaf certificate to act as a CA and "issue" an invalid certificate. > > This issue will impact any application that verifies certificates including > SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication. > > This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o. > > OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d > OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p > > This issue was reported to OpenSSL on 24th June 2015 by Adam Langley/David > Benjamin (Google/BoringSSL). The fix was developed by the BoringSSL project. > > Note > ===> > As per our previous announcements and our Release Strategy > (https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions > 1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these > releases will be provided after that date. Users of these releases are advised > to upgrade. > > References > =========> > URL for this Security Advisory: > https://www.openssl.org/news/secadv_20150709.txt > > Note: the online version of the advisory may be updated with additional > details over time. > > For details of OpenSSL severity classifications please see: > https://www.openssl.org/about/secpolicy.html > > -----Original Message----- > From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of Valeri Galtsev > Sent: Thursday, July 09, 2015 8:53 AM > To: CentOS mailing list > Subject: [CentOS] Openssl security patch > > Just heads up everybody, > > there is new security patch of openssl: > > https://www.openssl.org/news/ > > so we can expect patched openssl from upstream vendor shortly. > > Valeri > > ++++++++++++++++++++++++++++++++++++++++ > Valeri Galtsev > Sr System Administrator > Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago > Phone: 773-702-4247 > ++++++++++++++++++++++++++++++++++++++++ >And according to Redhat (BZ#1238619): Not vulnerable. This issue does not affect any version of the OpenSSL package as shipped with Red Hat Enterprise Linux 4, 5, 6 and 7, JBoss Enterprise Application Platform 6, and JBoss Enterprise Web Server 1 and 2 because they did not include support for alternative certificate chains. -- Lobster SCM GmbH, Hindenburgstra?e 15, D-82343 P?cking HRB 178831, Amtsgericht M?nchen Gesch?ftsf?hrer: Dr. Martin Fischer, Rolf Henrich
Yep, saw that. -----Original Message----- From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of Patrick Hurrelmann Sent: Thursday, July 09, 2015 9:09 AM To: centos at centos.org Subject: Re: [CentOS] Openssl security patch [...] And according to Redhat (BZ#1238619): Not vulnerable. This issue does not affect any version of the OpenSSL package as shipped with Red Hat Enterprise Linux 4, 5, 6 and 7, JBoss Enterprise Application Platform 6, and JBoss Enterprise Web Server 1 and 2 because they did not include support for alternative certificate chains. -- Lobster SCM GmbH, Hindenburgstra?e 15, D-82343 P?cking HRB 178831, Amtsgericht M?nchen Gesch?ftsf?hrer: Dr. Martin Fischer, Rolf Henrich _______________________________________________ CentOS mailing list CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos