110 lines
4.4 KiB
Text
110 lines
4.4 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-15:12.openssl Security Advisory
|
|
The FreeBSD Project
|
|
|
|
Topic: OpenSSL alternate chains certificate forgery vulnerability
|
|
|
|
Category: contrib
|
|
Module: openssl
|
|
Announced: 2015-07-09
|
|
Credits: Adam Langley/David Benjamin (Google/BoringSSL), OpenSSL
|
|
Affects: FreeBSD 10.1-STABLE after 2015-06-11 and prior to the
|
|
correction date.
|
|
Corrected: 2015-07-09 17:17:22 UTC (stable/10, 10.2-PRERELEASE,
|
|
10.2-BETA1)
|
|
CVE Name: CVE-2015-1793
|
|
|
|
For general information regarding FreeBSD Security Advisories,
|
|
including descriptions of the fields above, security branches, and the
|
|
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
|
|
a collaborative effort to develop a robust, commercial-grade, full-featured
|
|
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
|
|
and Transport Layer Security (TLS v1) protocols as well as a full-strength
|
|
general purpose cryptography library.
|
|
|
|
II. Problem Description
|
|
|
|
During certificate verification, OpenSSL will attempt to find an alternative
|
|
certificate chain if the first attempt to build such a chain fails, unless
|
|
the application explicitly specifies X509_V_FLAG_NO_ALT_CHAINS.
|
|
|
|
An error in the implementation of this logic could erroneously mark
|
|
certificate as trusted when they should not.
|
|
|
|
III. Impact
|
|
|
|
An attacker could cause certain checks on untrusted certificates, such as the
|
|
CA (certificate authority) flag, to be bypassed, which would enable them to
|
|
use a valid leaf certificate to act as a CA and issue an invalid certificate.
|
|
|
|
IV. Workaround
|
|
|
|
No workaround is available.
|
|
|
|
NOTE WELL: This issue does not affect earlier FreeBSD releases, including the
|
|
supported 8.4, 9.3 and 10.1-RELEASE because the alternative certificate chain
|
|
feature was not introduced in these releases. Only 10.1-STABLE after
|
|
2015-06-11 and prior to the correction date is affected.
|
|
|
|
V. Solution
|
|
|
|
Upgrade your vulnerable system to the latest supported FreeBSD stable/10
|
|
branch dated after the correction date.
|
|
|
|
Recompile the operating system using buildworld and installworld as
|
|
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
|
|
|
|
Restart all deamons using the library, or reboot the system.
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/10/ r285330
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
<URL:https://www.openssl.org/news/secadv_20150709.txt>
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1793>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:12.openssl.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: GnuPG v2.1.6 (FreeBSD)
|
|
|
|
iQIcBAEBCgAGBQJVnq6lAAoJEO1n7NZdz2rntOsP/A07ZJWDt2DpN5h2En0fE+tL
|
|
tIB2uSV0pcoUAZExLjft5IDMau/zbZd/JFXczR5RRollu0jaETcpWYzXzjtAQ4IG
|
|
ZEKwvjdThN0naKk0F0DOjAm84ukIds9zR4JZ2KpJmzZnChzZYoF21ZkGPBMMlVhZ
|
|
4T9GNTiphdz3HsWx57r2WSapMlys0U0f32xOfYr1iUMRVkNNJfnkFSSxA2MEwuBl
|
|
/HzVLYOpVEGn/V3I+USQ1KmwMhTtJ+JY6WQlv0k/UKgrQHjdsKjoDwMwWT7UJgPZ
|
|
j7bvYKftXMYl22KDTlyvZA1c0YZ8kyP9bd+dz6NogCgiNUcIux/wTgMmbnbauZXb
|
|
pV+MAAAXKfeUoU94qXRD0QHRDXYt34buSswTtPI3LuVeLkqVk/ZdQATZYqMmCcCZ
|
|
4XNtdefKN/HZIq9Lx5N1F1a4MQn3MgbNPUNRfDLtwDFp2w9nMA2XoP8j4oLHul3z
|
|
umFwrEDtO8yojjj6qFGaAjpKktwYfq7/+ISFTYFpWLO3pb2QUw+3S+rWmrclyyd9
|
|
xMOt2+tMpq46ESydmDSBXkgEQ6yL5XWA4FY+6VvWJrhM49DiP+FzpxZMpAKDHFmf
|
|
55L1mjSttHxU3G6/b1VPkRnphgqG03j1+nmyL+fIjHGa1ojvInzxuGcDgAJvUWkc
|
|
kMEkVjlnca3CDs5zADOX
|
|
=iBF6
|
|
-----END PGP SIGNATURE-----
|