A high-severity bug in OpenSSL was disclosed today, and it affects only organizations that installed an update released in June. The vulnerability allows an attacker with an untrusted certificate to be treated as a certificate authority and spoof another website. Attackers can use this scenario to redirect traffic, set up man-in-the-middle attacks, phishing schemes and anything else that compromises supposedly encrypted traffic. The bug was reported two weeks ago to the OpenSSL project by Google researcher Adam Langley and BoringSSL s David Benjamin.
Source: https://threatpost.com/openssl-patches-critical-certificate-validation-vulnerability/113703/