Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2015-1793

Published: 9 July 2015

The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly process X.509 Basic Constraints cA values during identification of alternative certificate chains, which allows remote attackers to spoof a Certification Authority role and trigger unintended certificate verifications via a valid leaf certificate.

Notes

AuthorNote
mdeslaur
introduced by the following commit in 1.0.2b and 1.0.1n:
https://git.openssl.org/?p=openssl.git;a=commit;h=6281abc79623419eae6a64768c478272d5d3a426

Priority

Medium

CVSS 3 base score: 6.5

Status

Package Release Status
openssl
Launchpad, Ubuntu, Debian
upstream Needs triage

precise Not vulnerable
(1.0.1-4ubuntu5.31)
trusty Not vulnerable
(1.0.1f-1ubuntu2.15)
utopic Not vulnerable
(1.0.1f-1ubuntu9.8)
vivid Not vulnerable
(1.0.1f-1ubuntu11.4)
openssl098
Launchpad, Ubuntu, Debian
upstream Needs triage

precise Not vulnerable

trusty Does not exist
(trusty was not-affected)
utopic Not vulnerable

vivid Not vulnerable