The long awaited OpenSSL vulns are out, and for both...

"this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer."

Either way you would already have problems, because you trust an untrustworthy CA, or you don't validate certs.

https://www.openssl.org/news/vulnerabilities.html

#defcon0 #standdown #theskyisnotfalling #openssl #x509