OpenSSL 的重大 bug:拿 Certificate 當 CA...

OpenSSL 發佈了「Alternative chains certificate forgery (CVE-2015-1793)」安全性通報:

An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate.

拿一個合法的 leaf certificate 當 CA root... 這下又有一票東西要更新了 @_@

這次從 1.0.1n 到 1.0.2b 的版本會受到影響。

starting from version 1.0.1n and 1.0.2b