We’ve been wondering what this latest “high severity” vulnerability was from OpenSSL that’s been mentioned last week. They’ve kept very tight-lipped about it, until today.
CVE-2015-1793 was announced today which although only affecting the very latest OpenSSL builds – is a bit of an epic failure. It essentially allows you to sign certificates using a standard leaf certificate. In short, it breaks the entire PKI trust relationship.
You can read the OpenSSL advisory here.
They’ve patched it in 1.0.1p and 1.0.2d so there’s hope if you’ve upgraded yet, but this issue only affects 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o – the very latest builds, so it’s unlikely that many are actually affected by this.