Patch for Critical OpenSSL Certificate Validation Bug Released

July 9, 2015—OpenSSL released an update for a critical certificate validation vulnerability (CVE-2015-1793). The error is in the “the implementation of the alternative certificate chain logic.” A malicious user can use this flaw to make checks like the CA flag to be bypassed and then act as “CA” to issue valid leaf certificates to otherwise untrusted sites.

This bug affects OpenSSL 1.0.1 and 1.0.2. It was reported by Google researcher Adam Langley and David Benjamin of BoringSSL. You can read the original advisory here.

The flaw was actually introduced when OpenSSL released its June 11 patch. This means that the only systems affected are those that installed the June 11 update.

If you think your system is affected, download the latest version of OpenSSL.

Comments are closed.