Advisories » MGASA-2015-0274

Updated openssl package fixes security vulnerability

Publication date: 10 Jul 2015
Modification date: 10 Jul 2015
Type: security
Affected Mageia releases : 4 , 5
CVE: CVE-2015-1793

Description

During certificate verification, OpenSSL (starting from version 1.0.1n and
1.0.2b) will attempt to find an alternative certificate chain if the first
attempt to build such a chain fails. An error in the implementation of
this logic can mean that an attacker could cause certain checks on
untrusted certificates to be bypassed, such as the CA flag, enabling them
to use a valid leaf certificate to act as a CA and "issue" an invalid
certificate (CVE-2015-1793).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=16333
• https://www.openssl.org/news/secadv_20150709.txt
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1793

SRPMS

4/core

• openssl-1.0.1p-1.mga4

5/core

• openssl-1.0.2d-1.mga5