A new OpenSSL vulnerability

The OpenSSL project has disclosed a newcertificate validation vulnerability. "During certificateverification, OpenSSL (starting from version 1.0.1n and 1.0.2b) willattempt to find an alternative certificate chain if the first attempt tobuild such a chain fails. An error in the implementation of this logic canmean that an attacker could cause certain checks on untrusted certificatesto be bypassed, such as the CA flag, enabling them to use a valid leafcertificate to act as a CA and 'issue' an invalid certificate."This is thus a client-side, man-in-the-middle vulnerability.

Note that the affected versions of OpenSSL were released in mid-June;anybody with an older release should not be vulnerable.