OpenSSL CVE-2015-0205 Weak Encryption Vulnerability
Description
Severity: LowAn OpenSSL server will accept a DH certificate for client authenticationwithout the certificate verify message. This effectively allows a clientto authenticate without the use of a private key. This only affects serverswhich trust a client certificate authority which issues certificatescontaining DH keys: these are extremely rare and hardly ever encountered.This issue affects OpenSSL versions: 1.0.1 and 1.0.0.OpenSSL 1.0.1 users should upgrade to 1.0.1k.OpenSSL 1.0.0 users should upgrade to 1.0.0p.This issue was reported to OpenSSL on 22nd October 2014 by KarthikeyanBhargavan of the PROSECCO team at INRIA. The fix was developed by StephenHenson of the OpenSSL core team.
Affected Applications
OpenSSL