Already patched in Linux Mint 17
$ openssl version
will reveal all. (Oh, err)
The promised patch against a high severity bug in Open SSL is out, resolving a certificate forgery risk in many implementations of the crypto protocol. Versions 1.0.1n and 1.0.2b of OpenSSL need fixing to resolve a bug that created a means for hackers to run crypto attacks that circumvent certificate warnings, as an advisory …
This post has been deleted by its author
The severity of security vulnerabilities is scored using a number of factors, including the vector, complexity and impact of an exploit - see https://nvd.nist.gov/CVSS-v2-Calculator
I think this is probably a high severity because of its potential impact to integrity/confidentiality.
I'm not sure I agree - I could see an easy man-in-the-middle against automated systems that rely on cert errors to identify fake end-points. This is particularly bad if you are running VPNs over the 'open' internet between datacenters using OpenSSL as the encryption envelope, like, say, a stock exchange....
You might be able to delay messages just enough to create an 'Office Space' scenario and no one would know.
This is a major bug if you're relying on SSL to provide end-to-end certification as a user. So I won't be connecting to my bank until it's fixed.
It doesn't mean we need to unpug any servers while we wait for the distro to catch up with upstream though. I for one am happy about that.
Uh, why is this not catastrophic? It sounds like anyone can forge a certificate for any domain:
1. Get a normal (non-CA) host certificate from a legit CA.
2. Use that cert to sign a fraudulent cert for target host/domain, including the non-CA cert in the authority chain. (You might need to hack a copy of the cert-signing app to ignore the missing CA flag.) Make sure auth chain is glitched properly to trigger OpenSSL bug in victim.
3. Redirect victim's https request to fraudulent site, use fraudulent certificate.
Sounds like the hardest part is (3), and if that was hard we wouldn't need certs.
This is a fix for a bug that only entered the codebase on June 11th and was spotted on the 24th. I suspect almost no distros have backported or shipped such new openssl releases - oh, except Fedora which handily backported the buggy code :-( For those of us running CentOS/RHEL or probably any other LTS distro, the bug never even made it to the code...