[security-announce] OpenSSL: Security update

Tudor Florea tudor.florea at enea.com
Fri Jul 10 00:44:14 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

OpenSSL: Security update
=========================================================
Product/package: Enea-Linux-4.0 / openssl 1.0.1
CVE Name: CVE-2015-1793
=========================================================
This security update upgrades openssl 1.0.1o to openssl 1.0.1p
to address the following vulnerability:

CVE-2015-1793 Alternative chains certificate forgery

Signed patch and README files
================================
0090-openssl-Upgrade-to-1.0.1p-CVE-2015-1793.README.asc
0090-openssl-Upgrade-to-1.0.1p-CVE-2015-1793.patch.asc

Descriptions
============
During certificate verification, OpenSSL (starting from version 1.0.1n
and 1.0.2b) will attempt to find an alternative certificate chain if
the first attempt to build such a chain fails. An error in the
implementation of this logic can mean that an attacker could cause
certain checks on untrusted certificates to be bypassed, such as the
CA flag, enabling them to use a valid leaf certificate to act as a CA
and "issue" an invalid certificate.
This issue will impact any application that verifies certificates
including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client
authentication.


Severity: High

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1793
https://www.openssl.org/news/secadv_20150709.txt

How to apply the patches
=======================
 - Preparation
Make sure that you have an installation of Enea Linux and have
applied the existing patches in the right order.

wget https://linux.enea.com/4.0/Enea-Linux-4.0.tar.gz
tar zxf Enea-Linux-4.0.tar.gz
cd Enea-Linux-4.0/poky/
<Fetch and apply the existing patches >

 - Fetch and apply the new patch
wget https://linux.enea.com/4.0/patches/\
0090-openssl-Upgrade-to-1.0.1p-CVE-2015-1793.patch.asc
patch -p1 < ./0090-openssl-Upgrade-to-1.0.1p-CVE-2015-1793.patch.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJVnvk8AAoJEMCI2qnpaXcs4MEH/iO3djHuxiHiB5mfYPZf6dV2
k3PrLHndwB8mGcFKgQrohQ4DQG/3Uj5W4/Yb1n+nuHfMUvSrNtcQiZ8YYhTU9u59
Sswu0u1ncUGZWIsm+qYu7GhKc2wkBwLL+W4vX+osFCJXHLUBZpvCxhwCv5ZuIPQc
Eau2VsuXmWDJSP5nVYPdkhXjViExpf4ZbyC6i4m0crBA/XYalUUYphJw9JFCMNDu
x4x2U9y7TcNjo+ZPh5uERXCNTp9vliYqz1ZVQqWrCO7oBFkIYyM6EtHZR0NYvTsp
c+w/9Hv2iiLNZDy7i227xPCeHWVBWGmGzcnfSyJKIzeO4udlf1ee20jqBNlw0eo=
=8Bk6
-----END PGP SIGNATURE-----



More information about the security-announce mailing list