[gentoo-announce] [ GLSA 201507-15 ] OpenSSL: Alternate chains certificate forgery - gentoo-announce

From:	Kristian Fiskerstrand <k_f@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 201507-15 ] OpenSSL: Alternate chains certificate forgery
Date:	Fri, 10 Jul 2015 13:09:45
Message-Id:	`559FC2B4.4090909@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201507-15

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: OpenSSL: Alternate chains certificate forgery

9

     Date: July 10, 2015

10

     Bugs: #554172

11

       ID: 201507-15

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Certain checks on untrusted certificates can be bypassed.

19

20

Background

21

==========

22

23

OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer

24

(SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general

25

purpose cryptography library.

26

27

Affected packages

28

=================

29

30

    -------------------------------------------------------------------

31

     Package              /     Vulnerable     /            Unaffected

32

    -------------------------------------------------------------------

33

  1  dev-libs/openssl             < 1.0.1p                  >= 1.0.1p

34

35

Description

36

===========

37

38

During certificate verification, OpenSSL attempts to find an

39

alternative certificate chain if the first attempt to build such a

40

chain fails.

41

42

Impact

43

======

44

45

A remote attacker could cause certain checks on untrusted

46

certificates to be bypassed, such as the CA flag, enabling them to use

47

a valid leaf certificate to act as a CA and "issue" an invalid

48

certificate.

49

50

Workaround

51

==========

52

53

There is no known workaround at this time.

54

55

Resolution

56

==========

57

58

All OpenSSL users should upgrade to the latest version:

59

60

  # emerge --sync

61

  # emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.1p"

62

63

References

64

==========

65

66

[ 1 ] CVE-2015-1793

67

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1793

68

69

Availability

70

============

71

72

This GLSA and any updates to it are available for viewing at

73

the Gentoo Security Website:

74

75

 https://security.gentoo.org/glsa/201507-15

76

77

Concerns?

78

=========

79

80

Security is a primary focus of Gentoo Linux and ensuring the

81

confidentiality and security of our users' machines is of utmost

82

importance to us. Any security concerns should be addressed to

83

security@g.o or alternatively, you may file a bug at

84

https://bugs.gentoo.org.

85

86

License

87

=======

88

89

Copyright 2015 Gentoo Foundation, Inc; referenced text

90

belongs to its owner(s).

91

92

The contents of this document are licensed under the

93

Creative Commons - Attribution / Share Alike license.

94

95

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201507-15
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: OpenSSL: Alternate chains certificate forgery
9	Date: July 10, 2015
10	Bugs: #554172
11	ID: 201507-15
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Certain checks on untrusted certificates can be bypassed.
19
20	Background
21	==========
22
23	OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer
24	(SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general
25	purpose cryptography library.
26
27	Affected packages
28	=================
29
30	-------------------------------------------------------------------
31	Package / Vulnerable / Unaffected
32	-------------------------------------------------------------------
33	1 dev-libs/openssl < 1.0.1p >= 1.0.1p
34
35	Description
36	===========
37
38	During certificate verification, OpenSSL attempts to find an
39	alternative certificate chain if the first attempt to build such a
40	chain fails.
41
42	Impact
43	======
44
45	A remote attacker could cause certain checks on untrusted
46	certificates to be bypassed, such as the CA flag, enabling them to use
47	a valid leaf certificate to act as a CA and "issue" an invalid
48	certificate.
49
50	Workaround
51	==========
52
53	There is no known workaround at this time.
54
55	Resolution
56	==========
57
58	All OpenSSL users should upgrade to the latest version:
59
60	# emerge --sync
61	# emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.1p"
62
63	References
64	==========
65
66	[ 1 ] CVE-2015-1793
67	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1793
68
69	Availability
70	============
71
72	This GLSA and any updates to it are available for viewing at
73	the Gentoo Security Website:
74
75	https://security.gentoo.org/glsa/201507-15
76
77	Concerns?
78	=========
79
80	Security is a primary focus of Gentoo Linux and ensuring the
81	confidentiality and security of our users' machines is of utmost
82	importance to us. Any security concerns should be addressed to
83	security@g.o or alternatively, you may file a bug at
84	https://bugs.gentoo.org.
85
86	License
87	=======
88
89	Copyright 2015 Gentoo Foundation, Inc; referenced text
90	belongs to its owner(s).
91
92	The contents of this document are licensed under the
93	Creative Commons - Attribution / Share Alike license.
94
95	http://creativecommons.org/licenses/by-sa/2.5