CVE-2017-8301

LibreSSL 2.5.1 to 2.5.3 lacks TLS certificate verification if SSL_get_verify_result is relied upon for a later check of a verification result, in a use case where a user-provided verification callback returns 1, as demonstrated by acceptance of invalid certificates by nginx.
References
Link Resource
http://seclists.org/oss-sec/2017/q2/145 Mailing List Third Party Advisory
http://www.securityfocus.com/bid/98076 Third Party Advisory VDB Entry
https://github.com/libressl-portable/portable/issues/307 Issue Tracking Patch Third Party Advisory
https://trac.nginx.org/nginx/ticket/1257 Issue Tracking Patch Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:openbsd:libressl:2.5.1:*:*:*:*:*:*:*
cpe:2.3:a:openbsd:libressl:2.5.2:*:*:*:*:*:*:*
cpe:2.3:a:openbsd:libressl:2.5.3:*:*:*:*:*:*:*

History

No history.

Information

Published : 2017-04-27 17:59

Updated : 2024-02-04 19:11


NVD link : CVE-2017-8301

Mitre link : CVE-2017-8301

CVE.ORG link : CVE-2017-8301


JSON object : View

Products Affected

openbsd

  • libressl
CWE
CWE-295

Improper Certificate Validation