Jump to:

CVE-2017-8301

Jump to:

CVE-2017-8301

Package LibreSSL updated to version 2.5.4-alt1 for branch sisyphus in task 182431.

Published: 2017-04-27
Modified: 2025-04-20

CVE-2017-8301

LibreSSL 2.5.1 to 2.5.3 lacks TLS certificate verification if SSL_get_verify_result is relied upon for a later check of a verification result, in a use case where a user-provided verification callback returns 1, as demonstrated by acceptance of invalid certificates by nginx.

Severity: LOW (2.6) Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N

Severity: MEDIUM (5.3) Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

References:

http://seclists.org/oss-sec/2017/q2/145
http://www.securityfocus.com/bid/98076
https://github.com/libressl-portable/portable/issues/307
https://trac.nginx.org/nginx/ticket/1257
http://seclists.org/oss-sec/2017/q2/145
http://www.securityfocus.com/bid/98076
https://github.com/libressl-portable/portable/issues/307
https://trac.nginx.org/nginx/ticket/1257

Version: 2.1.2

Package LibreSSL update in sisyphus on 2017-05-03

ALT-PU-2017-1557-1

Closed vulnerabilities

CVE-2017-8301