OpenSSL patches high severity bug allowing certificate forgery

As promised earlier this week, OpenSSL released a patch for a high severity bug impacting versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o. The security issue, an alternative chains certificate forgery bug (CVE-2015-1793), was reported to OpenSSL in late June by Google security engineer Adam Langley and Google developer David Benjamin, a Thursday security advisory said. The vulnerability was said to impact “any application that verifies certificates including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.” Exploitation of the bug could allow an attacker to “cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and ‘issue' an invalid certificate,” the advisory explained. OpenSSL 1.0.2b and 1.0.2c users can upgrade to 1.0.2d to employ the fix, while 1.0.1n and 1.0.1o users can move to version 1.0.1p.