Bug 1180187 (CVE-2014-8275)
Summary: | CVE-2014-8275 openssl: Fix various certificate fingerprint issues | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vasyl Kaigorodov <vkaigoro> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | carnil, cdewolf, chrisw, dandread, darran.lofthouse, erich, fweimer, grocha, jason.greene, jawilson, jclere, jdoyle, john.haxby, lgao, myarboro, nlevinki, pslavice, rfortier, rhs-bugs, rsvoboda, twalsh, vtunka, weli |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | OpenSSL 1.0.1k, OpenSSL 1.0.0p, OpenSSL 0.9.8zd | Doc Type: | Bug Fix |
Doc Text: |
Multiple flaws were found in the way OpenSSL parsed X.509 certificates. An attacker could use these flaws to modify an X.509 certificate to produce a certificate with a different fingerprint without invalidating its signature, and possibly bypass fingerprint-based blacklisting in applications.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-10-20 10:48:37 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1180189, 1181015, 1181016, 1181017, 1181018, 1207507 | ||
Bug Blocks: | 1180194 |
Description
Vasyl Kaigorodov
2015-01-08 15:21:46 UTC
External References: https://www.openssl.org/news/secadv_20150108.txt openssl-1.0.1e-41.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2015:0066 https://rhn.redhat.com/errata/RHSA-2015-0066.html This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Via RHSA-2015:0800 https://rhn.redhat.com/errata/RHSA-2015-0800.html Statement: This issue affects the version of openssl098e as shipped with Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this issue as having Low security impact and does not plan to address this flaw for the above components in any future security updates. This issue affects the version of openssl097a as shipped with Red Hat Enterprise Linux 5. Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/. |