CVE-2009-0653

2009-02-2019:30:00

Debian Security Bug Tracker

security-tracker.debian.org

openssl

basic constraints

man-in-the-middle

ca-signed certificate

remote attackers

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.011

Percentile

85.0%

JSON

OpenSSL, probably 0.9.6, does not verify the Basic Constraints for an intermediate CA-signed certificate, which allows remote attackers to spoof the certificates of trusted sites via a man-in-the-middle attack, a related issue to CVE-2002-0970.

OSVersionArchitecturePackageVersionFilename
Debian12allopenssl< 0.9.8-1openssl_0.9.8-1_all.deb
Debian11allopenssl< 0.9.8-1openssl_0.9.8-1_all.deb
Debian999allopenssl< 0.9.8-1openssl_0.9.8-1_all.deb
Debian13allopenssl< 0.9.8-1openssl_0.9.8-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	openssl	< 0.9.8-1	openssl_0.9.8-1_all.deb
Debian	11	all	openssl	< 0.9.8-1	openssl_0.9.8-1_all.deb
Debian	999	all	openssl	< 0.9.8-1	openssl_0.9.8-1_all.deb
Debian	13	all	openssl	< 0.9.8-1	openssl_0.9.8-1_all.deb