Description

OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not enforce certain constraints on certificate data, which allows remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism by including crafted data within a certificate's unsigned portion, related to crypto/asn1/a_verify.c, crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, and crypto/x509/x_all.c.

Remediation

References

CVE-2014-8275

Related Vulnerabilities

PHP CVE-2012-2688 Vulnerability (CVE-2012-2688)

Oracle Application Server CVE-2009-1008 Vulnerability (CVE-2009-1008)

Python Improper Restriction of Operations within the Bounds of a Memory Buffer Vulnerability (CVE-2014-1912)

WordPress Plugin Instagram Feed Unspecified Vulnerability (1.11.3)

Roundcube Improper Input Validation Vulnerability (CVE-2011-1492)

Severity

Medium

Classification

CVE-2014-8275

Tags

Missing Update Known Vulnerabilities