CVE-2014-8275

Name of the Vulnerable Software and Affected Versions OpenSSL versions prior to 0.9.8zd OpenSSL versions prior to 1.0.0p OpenSSL versions prior to 1.0.1k openssl-1.0.1e openssl-devel-1.0.1e openssl-static-1.0.1e openssl-libs-1.0.1e openssl-debuginfo-1.0.1e

Description The issue allows remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism by including crafted data within a certificate's unsigned portion. This is related to the files crypto/asn1/a verify.c, crypto/dsa/dsa asn1.c, crypto/ecdsa/ecs vrf.c, and crypto/x509/x all.c. The vulnerability can be exploited remotely and may lead to disruption of protected information.

Recommendations For OpenSSL versions prior to 0.9.8zd, update to version 0.9.8zd or later. For OpenSSL versions prior to 1.0.0p, update to version 1.0.0p or later. For OpenSSL versions prior to 1.0.1k, update to version 1.0.1k or later. For openssl-1.0.1e, openssl-devel-1.0.1e, openssl-static-1.0.1e, openssl-libs-1.0.1e, and openssl-debuginfo-1.0.1e, update to a version that is not vulnerable. As a temporary workaround, consider restricting access to certificate data to minimize the risk of exploitation.