https://access.redhat.com/solutions/1523323 claims that RHEL is not vulnerable
to this as the feature that is vulnerable is not in the RHEL versions of
openssl.
So there will NOT be a new openssl security errata today.
------------------------------------------------------------------------------
This was the anticipated openssl vulnerability that was to be released on July
9,2015
OpenSSL Security Advisory [9 Jul 2015]
=======================================
Alternative chains certificate forgery (CVE-2015-1793)
======================================================
Severity: High
During certificate verification, OpenSSL (starting from
version 1.0.1n and
1.0.2b) will attempt to find an alternative certificate
chain if the first
attempt to build such a chain fails. An error in the
implementation of this
logic can mean that an attacker could cause certain checks
on untrusted
certificates to be bypassed, such as the CA flag, enabling
them to use a valid
leaf certificate to act as a CA and "issue" an invalid
certificate.
This issue will impact any application that verifies
certificates including
SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client
authentication.
--
Connie J. Sieh
Computing Services Specialist III
Fermi National Accelerator Laboratory
630 840 8531 office
http://www.fnal.gov
[email protected]
