Go Back   SZONE.US Forums > Do it yourself (DIY) > Web Tips > Web Findings

Web Findings Here you will find information about the internet.

OpenSSL Update Released for "Alternative chains certificate forgery" Vulnerability

Views:1232
Reply
Thread Tools Search this Thread Rate Thread
  #1  
Unread 07.09.15, 03:34 PM
Zachariah Boren's Avatar
Zachariah Boren Zachariah Boren is offline
Administrator
 
Join Date: 02.07
Location: Canoga Park, CA
Posts: 928
Blog Entries: 6
Images: 10075
Send a message via ICQ to Zachariah Boren Send a message via MSN to Zachariah Boren Send a message via twitter to Zachariah Boren
OpenSSL Update Released for "Alternative chains certificate forgery" Vulnerability

07.08.15 10:00 PM

Websense® Security Labs™ have, since Monday 6 July, been looking out for details of an anticipated release to the OpenSSL open source toolkit for SSL/TLS.



Today (9 July 2015) the OpenSSL Project released an update to the popular toolkit detailed in the Security Advisory available here: https://www.openssl.org/news/secadv_20150709.txt









The advisory details an implementation error in the logic around certificate chains. The so-called "Alternative chains certificate forgery" issue permits an attacker to bypass certain checks enabling them to use a valid leaf certificate to act as a CA (Certificate Authority) and generate certificates.


The issue has been assigned CVE-2015-1793 and is classified as "High" severity.



If you are using one of the affected versions of OpenSSL (1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o) we encourage you to consider applying the latest version of OpenSSL if applicable to your environment and deployment. The availability details and release notes for OpenSSL v1.0.2d (for example) can be found here: https://mta.openssl.org/pipermail/op...ly/000039.html



The advance warning of a forthcoming release was made on 6 July 2015. That is archived here: https://mta.openssl.org/pipermail/op...ly/000037.html

It is recommended that users of OpenSSL, and similar toolkits, adopt a process to monitor for such notifications and build a patch management process suitable for their needs.






http://community.websense.com/blogs/...erability.aspx
Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Rate This Thread
Rate This Thread:



All times are GMT -8. The time now is 07:53 AM.


Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright 2007 - 20017 SZONE.US All rights reserved