A vulnerability has been discovered and patched for OpenSSL versions 1.0.1n, and 1.0.2b, and later versions. This vulnerability could allow a malicious attacker into tricking the software into trusting a certificate that shouldn’t be trusted by a CA. It’s been assigned CVE-2015-1783 in the CVE database.
This vulnerability and any associated exploits affect client applications (such as email clients and web browsers) and services that validate Certificate Authority (CA) certificate chains, such as commercial VPN applications, encryption systems, and websites that utilize a key to sign clients in – most common server configurations are not affected.
NOT AFFECTED : CentOS 5, CentOS 6, CentOS 7, Debian Squeeze (6) , Wheezy and Jessie, as well as all RHEL versions, as they do not provide a version of OpenSSL that includes the affected feature. Windows and IIS do not include OpenSSL software.
AFFECTED : LiteSpeed Web Server 4.2.23,LiteSpeed 5.0,LiteSpeed 5.0.1
If you have any of the affected LiteSpeed versions, they could be vulnerable and open your system up to attack, it’s advised you update the software as soon as possible. If you’re using a LiteSpeed 4.x branch, it’s recommended to update to LiteSpeed 4.2.24 by using:
/usr/local/lsws/admin/misc/lsup.sh -v 4.2.24
If you’re using LiteSpeed 5.x, it’s suggested to update to 5.0.2 immediately by using:
/usr/local/lsws/admin/misc/lsup.sh -v 5.0.2
Sources :
https://openssl.org/news/secadv_20150709.txt
https://access.redhat.com/security/cve/CVE-2015-1793
https://www.litespeedtech.com/products/litespeed-web-server/release-log