OpenSSL: Alternative chains certificate forgery vulnerability (CVE-2015-1793)

Solution In Progress - Updated -

Environment

  • Red Hat Enterprise Linux 4, 5, 6, 7
  • Red Hat JBoss Enterprise Application Platform (EAP) 5, 6
  • Red Hat JBoss Enterprise Web Server (EWS) 1, 2
  • Red Hat JBoss Web Server (JWS) 3
  • Inktank Ceph Enterprise (ICE) 1
  • Red Hat Storage Console
  • Red Hat Enterprise Virtualization

Issue

Resolution

  • No Red Hat products are affected by the CVE-2015-1793 flaw. No actions need to be performed to fix or mitigate this issue in any way.

Root Cause

  • The OpenSSL project has published information about an important vulnerability (CVE-2015-1793) affecting openssl versions 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c.
  • These upstream versions have only been available for a month, and given Red Hat's policy of performing careful backports of important bug fixes and selected features, this functionality is not present in any version of OpenSSL shipped in any Red Hat product.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

3 Comments

Not required

This comment sort of explains that this is a new issue with recent upstream releases

https://bugzilla.redhat.com/show_bug.cgi?id=1238619#c10

"Note, for clarity, the first affected upstream versions 1.0.1n and 1.0.2b were released on June 11th 2015."

So basically this security vulnerability never made it downstream is the way I read this and assumingly it never will.

Openssl of version : openssl-1.0.1e-42.el6_7.1.x86_64 has been installed on my server. Is server affected with PHP OpenSSL Extension Remote Memory Corruption Vulnerability?