OpenSSL Users Urged to Upgrade: High-Severity Certificate Forgery Vulnerability Found
OpenSSL users are urged to upgrade due to a high severity vulnerability, CVE-2015-1793, which allows certificate forgery. This issue affects specific OpenSSL versions, with some distributions and products not impacted.
Users of OpenSSL 1.0.1n and 1.0.1o should upgrade to 1.0.1p to mitigate the vulnerability. Notably, OpenSUSE 13.1, 13.2, and Tumbleweed distributions are unaffected. The flaw was introduced in version 1.0.1h and fixed starting from 1.0.1j, so versions prior to 1.0.1h and from 1.0.1j onwards are not vulnerable.
For OpenSSL 1.0.2, users of 1.0.2b and 1.0.2c should upgrade to 1.0.2d. Debian stable and old stable versions, as well as RedHat products, are not affected by this vulnerability. The issue impacts OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n, and 1.0.1o. Qualys has released QID 38104 for further information on this check.
In summary, OpenSSL users should upgrade their versions as per the affected ranges mentioned. Distributions and products not affected include OpenSUSE 13.1, 13.2, Tumbleweed, Debian stable and old stable, and RedHat products. Ubuntu versions 12.04LTS, 14.04LTS, 14.10LTS, 15.04, and 15.10 are also unaffected.
