/>
X

​Another day, another OpenSSL patch

The good news is that this OpenSSL security breach does not affect shipping Linux or Unix operating systems.

The latest OpenSSL security hole isn't a bad one as these things go. It's no Heartbleed, Freak, or Logjam. But it's serious enough that, if you're running alpha or beta operating systems, you shouldn't delay patching it.

Fortunately, the affected OpenSSL versions are not commonly used in enterprise operating systems. For example, it doesn't impact shipping and supported versions of Red Hat Enterprise Linux (RHEL) or Ubuntu. In the case of Ubuntu, it does affect the 15.10 development release, but the patch is already available.

In this OpenSSL bug, when OpenSSL (starting from version 1.0.1n and 1.0.2b) starts to verify a certificate, if its first attempt to build a secure certificate chain fails, it will attempt to find an alternative certificate chain. So far, so good.

But, an error in how this logic implements skipped some security checks on new, untrusted certificates. For example, it didn't check the Certificate Authority (CA) flag. This enables a hacker to to use a valid leaf certificate to act as a CA and "issue" a bogus certificate. This, in turn, enables such hacks as a corrupted site being able to pretend it's another, legitimate site.

Hackers can do this because the bug facilitates man-in-the-middle attacks.

This problem affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o. Therefore, OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d and OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p.

The security hole, (CVE-2015-1793), was discovered by Google BoringSSL developers. This is Google's own open-source Secure-Socket Layer (SSL) program. It's not meant to replace OpenSSL as an open-source project because its application programming interface (API) and application binary interface (ABI) aren't stable enough for a universally used security program.

Related Stories:

Related

A Delta customer asked for basic service. Instead, a raving Twilight Zone
screen-shot-2022-06-22-at-3-50-54-pm.png

A Delta customer asked for basic service. Instead, a raving Twilight Zone

Business
How to spot a deepfake? One simple trick is all you need
facial-recognition

How to spot a deepfake? One simple trick is all you need

AI & Robotics
We wanted to make things worse, says McDonald's, but it costs too much money
screen-shot-2022-07-27-at-4-14-42-pm.png

We wanted to make things worse, says McDonald's, but it costs too much money

Business