[security-announce] OpenSSL: Security update

Sona Sarmadi sona.sarmadi at enea.com
Tue Sep 8 08:14:15 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

	Enea Linux Security Advisory

=========================================================
Product/package: Enea-Linux-5.0-beta-m400/ openssl 1.0.1
Severity: Important
CVE Name: CVE-2015-1793
=========================================================
This security update upgrades openssl 1.0.1o to openssl 1.0.1p
to address the following vulnerability:

CVE-2015-1793 Alternative chains certificate forgery

Signed patch and README files
================================
0032-openssl-upgrade-to-1.0.1p-CVE-2015-1793.README.asc
0032-openssl-upgrade-to-1.0.1p-CVE-2015-1793.patch
0032-openssl-upgrade-to-1.0.1p-CVE-2015-1793.patch.sig

Descriptions
============
During certificate verification, OpenSSL (starting from version 1.0.1n
and 1.0.2b) will attempt to find an alternative certificate chain if
the first attempt to build such a chain fails. An error in the
implementation of this logic can mean that an attacker could cause
certain checks on untrusted certificates to be bypassed, such as the
CA flag, enabling them to use a valid leaf certificate to act as a CA
and "issue" an invalid certificate.
This issue will impact any application that verifies certificates
including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client
authentication.


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1793
https://www.openssl.org/news/secadv/20150709.txt

How to apply the patches
=======================
 - Preparation
Make sure that you have an installation of Enea Linux and have
applied the existing patches in the right order

wget https://linux.enea.com/5.0-beta-m400/\
Enea-Linux-5.0-beta-m400.tar.gz
tar zxf Enea-Linux-5.0-beta-m400.tar.gz
cd Enea-Linux-5.0-beta-m400/poky
<Fetch and apply the existing patches >

 - Fetch, verify and apply the new patch
wget https://linux.enea.com/5.0-beta-m400/\
patches/0032-openssl-upgrade-to-1.0.1p-CVE-2015-1793.patch
wget https://linux.enea.com/5.0-beta-m400/\
patches/0032-openssl-upgrade-to-1.0.1p-CVE-2015-1793.patch.sig
gpg --verify 0032-openssl-upgrade-to-1.0.1p-CVE-2015-1793.patch.sig
patch -p1 < ./0032-openssl-upgrade-to-1.0.1p-CVE-2015-1793.patch

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJV7ny3AAoJEHc+9u9ocWoUFsgQAKLN1I6aWXWrcJ+OQ016ugk3
YDOVMtqiSanucUuA0TBpUAdiTeJh9Y57BnuKrzl/RPLO6BUR093EudjJfdcmRB3Z
NG9kCO7Pc1OMBfQh+8UX/h38N7DU0CYIsXPUTyjkXPJwv0bG//qdvsNpZWNT4rap
XRp0889drHRCcjzA7xsuyMJqxhSHO0Lfb2RWeSWTjRs1wkjYqGF6IgcKynYY3EPZ
hlNPBOCUdBanciA3DYsSfVESJyCWKCpA8nYLZvZWLVRQG9ohgJyBqpON9CDUiA3n
CcIRD/hkRJ7KGqBxZ565ZxMrh8LhOCz2/M8Lmqa/+Vnmtp2K4axf5m0HLt9fQZwq
B1/EX9stkkOBZ97bXEL8ZicDv5GXErVrL//bg2PHQPvkbXlvXCXyiDDX6+8+WV8Y
nE7lM7fXTB86LgNVH34XwMOpINnN/vcLbL1JKv/pEvc095E50gTuHdG/MvH7oTxB
x+UwweOO4HPK/eME4jaC3weOFOBR337kSjpd87/lAKZVa7ZHPVKQBVaS6JAyPjpo
UN53O36MTZ4f5EO9f46iII+b7lTMIBEHnzdgk4L9DqPijG8evE47MLEX6BlGS1Pf
CCImZPoQtgO7atP01EgygyqCWavmqp7F88hWeByAy+Bt3TlSXqow+vqRuUuB+DzO
3KKUrecN97a92lwM/DNm
=Cy8Y
-----END PGP SIGNATURE-----



More information about the security-announce mailing list