CVE-2015-0205 (retired)

Priority
Description
The ssl3_get_cert_verify function in s3_srvr.c in OpenSSL 1.0.0 before
1.0.0p and 1.0.1 before 1.0.1k accepts client authentication with a
Diffie-Hellman (DH) certificate without requiring a CertificateVerify
message, which allows remote attackers to obtain access without knowledge
of a private key via crafted TLS Handshake Protocol traffic to a server
that recognizes a Certification Authority with DH support.
Notes
 mdeslaur> precise isn't actually affected, as the code used to be wrong,
 mdeslaur> resulting in a no-op, and having the same result as this
 mdeslaur> security fix. See the following commit:
 mdeslaur> https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=c2770c0e0e0da5f447227553c248f9a94504ee4e
Assigned-to
mdeslaur
Package
Upstream:not-affected
Ubuntu 14.04 LTS (Trusty Tahr):not-affected
More Information

Updated: 2019-03-26 12:14:08 UTC (commit ccdecfcf0fead22bd291e5f4ea745a46872dcb15)