From: Matt Caswell Date: Thu, 2 Jul 2015 14:38:32 +0000 (+0100) Subject: Update CHANGES and NEWS for the new release X-Git-Tag: OpenSSL_1_0_2d~1 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=5627e0f77d333b3d6d2f87b0cc616a062cf54aeb;p=oweals%2Fopenssl.git Update CHANGES and NEWS for the new release Reviewed-by: Stephen Henson --- diff --git a/CHANGES b/CHANGES index 5aff3e1691..a3b3e20187 100644 --- a/CHANGES +++ b/CHANGES @@ -4,7 +4,18 @@ Changes between 1.0.2c and 1.0.2d [xx XXX xxxx] - *) + *) Alternate chains certificate forgery + + During certificate verfification, OpenSSL will attempt to find an + alternative certificate chain if the first attempt to build such a chain + fails. An error in the implementation of this logic can mean that an + attacker could cause certain checks on untrusted certificates to be + bypassed, such as the CA flag, enabling them to use a valid leaf + certificate to act as a CA and "issue" an invalid certificate. + + This issue was reported to OpenSSL by Adam Langley/David Benjamin + (Google/BoringSSL). + [Matt Caswell] Changes between 1.0.2b and 1.0.2c [12 Jun 2015] diff --git a/NEWS b/NEWS index f87f926b9d..e51526ea35 100644 --- a/NEWS +++ b/NEWS @@ -7,7 +7,7 @@ Major changes between OpenSSL 1.0.2c and OpenSSL 1.0.2d [under development] - o + o Alternate chains certificate forgery (CVE-2015-1793) Major changes between OpenSSL 1.0.2b and OpenSSL 1.0.2c [12 Jun 2015]