topic Security Advisory for OpenSSL 1.0.1n+ / 1.0.2b+ in Integration and Testing https://community.developer.cybersource.com/t5/Integration-and-Testing/Security-Advisory-for-OpenSSL-1-0-1n-1-0-2b/m-p/51354#M26721 <P>"During certificate verification, OpenSSL (starting from version 1.0.1n and<BR />1.0.2b) will attempt to find an alternative certificate chain if the first<BR />attempt to build such a chain fails. An error in the implementation of this<BR />logic can mean that an attacker could cause certain checks on untrusted<BR />certificates to be bypassed, such as the CA flag, enabling them to use a valid<BR />leaf certificate to act as a CA and "issue" an invalid certificate.<BR /><BR />"This issue will impact any application that verifies certificates including<BR />SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.<BR /><BR />"This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.<BR /><BR />"OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d<BR />"OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p"</P> <P>&nbsp;</P> <P>Source: <A href="https://www.openssl.org/news/secadv_20150709.txt" target="_blank">https://www.openssl.org/news/secadv_20150709.txt</A></P> Thu, 09 Jul 2015 16:21:57 GMT Lilith 2015-07-09T16:21:57Z Security Advisory for OpenSSL 1.0.1n+ / 1.0.2b+ https://community.developer.cybersource.com/t5/Integration-and-Testing/Security-Advisory-for-OpenSSL-1-0-1n-1-0-2b/m-p/51354#M26721 <P>"During certificate verification, OpenSSL (starting from version 1.0.1n and<BR />1.0.2b) will attempt to find an alternative certificate chain if the first<BR />attempt to build such a chain fails. An error in the implementation of this<BR />logic can mean that an attacker could cause certain checks on untrusted<BR />certificates to be bypassed, such as the CA flag, enabling them to use a valid<BR />leaf certificate to act as a CA and "issue" an invalid certificate.<BR /><BR />"This issue will impact any application that verifies certificates including<BR />SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.<BR /><BR />"This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.<BR /><BR />"OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d<BR />"OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p"</P> <P>&nbsp;</P> <P>Source: <A href="https://www.openssl.org/news/secadv_20150709.txt" target="_blank">https://www.openssl.org/news/secadv_20150709.txt</A></P> Thu, 09 Jul 2015 16:21:57 GMT https://community.developer.cybersource.com/t5/Integration-and-Testing/Security-Advisory-for-OpenSSL-1-0-1n-1-0-2b/m-p/51354#M26721 Lilith 2015-07-09T16:21:57Z