On July 9, 2015, OpenSSL issued a security update to correct an issue opened by its June update. Specifically, this issue relates to alternative chains certificate forgery (CVE-2015-1793), i.e. an ability to “cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and ‘issue’ an invalid certificate.”
The issue affects both client and server side certificate verification in OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o. This issue does not affect Zimbra Collaboration. The latest Zimbra packaging of Zimbra Collaboration (8.6) relies on OpenSSL 1.0.1l for cryptographic functionality.
Aside from Zimbra and for those using OpenSSL elsewhere with the ability to update the OpenSSL package, please upgrade:
- 0.2b/1.0.2c upgrade to 1.0.2d
- 0.1n/1.0.1o upgrade to 1.0.1p