CVE-2017-8301
Summary
| CVE | CVE-2017-8301 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2017-04-27 17:59:00 UTC |
|---|
| Updated | 2019-10-03 00:03:00 UTC |
|---|
| Description | LibreSSL 2.5.1 to 2.5.3 lacks TLS certificate verification if SSL_get_verify_result is relied upon for a later check of a verification result, in a use case where a user-provided verification callback returns 1, as demonstrated by acceptance of invalid certificates by nginx. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| oss-sec: CVE-2017-8301: TLS verification vulnerability in LibreSSL 2.5.1 - 2.5.3 |
MISC |
seclists.org |
Mailing List, Third Party Advisory |
| LibreSSL CVE-2017-8301 Certificate Validation Security Bypass Vulnerability |
BID |
www.securityfocus.com |
Third Party Advisory, VDB Entry |
| Some nginx TLS tests started failing with LibreSSL 2.5.3 (but not with 2.4.4) · Issue #307 · libressl-portable/portable · GitHub |
CONFIRM |
github.com |
Issue Tracking, Patch, Third Party Advisory |
| #1257 (Some nginx TLS tests started failing with LibreSSL 2.5.3)
– nginx |
CONFIRM |
trac.nginx.org |
Issue Tracking, Patch, Third Party Advisory |
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 500367 Alpine Linux Security Update for libressl
