CVE-2015-1793

Priority
Medium
Description
The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n,
1.0.1o, 1.0.2b, and 1.0.2c does not properly process X.509 Basic
Constraints cA values during identification of alternative certificate
chains, which allows remote attackers to spoof a Certification Authority
role and trigger unintended certificate verifications via a valid leaf
certificate.
References
Notes
 mdeslaur> introduced by the following commit in 1.0.2b and 1.0.1n:
 mdeslaur> https://git.openssl.org/?p=openssl.git;a=commit;h=6281abc79623419eae6a64768c478272d5d3a426
Assigned-to
mdeslaur
Package
Upstream:needs-triage
Ubuntu 12.04 LTS (Precise Pangolin):not-affected
Ubuntu 14.04 LTS (Trusty Tahr):not-affected
Ubuntu Touch 15.04:not-affected
Package
Upstream:needs-triage
Ubuntu 12.04 LTS (Precise Pangolin):not-affected (1.0.1-4ubuntu5.31)
Ubuntu 14.04 LTS (Trusty Tahr):not-affected (1.0.1f-1ubuntu2.15)
Ubuntu Touch 15.04:released (1.0.2d-0ubuntu1)
More Information

Updated: 2016-03-23 03:41:54 UTC (commit 10817)