OpenPKG Corporation
OpenPKG CorporationSecuritySecurity Advisories

OpenPKG Security Advisory

OpenPKG-SA-2006.018

Publisher Name:          OpenPKG GmbH
Publisher Home:          http://openpkg.com/

Advisory Id (public):    OpenPKG-SA-2006.018
Advisory Type:           OpenPKG Security Advisory (SA)
Advisory Directory:      http://openpkg.com/go/OpenPKG-SA
Advisory Document:       http://openpkg.com/go/OpenPKG-SA-2006.018
Advisory Published:      2008-10-06 16:16 UTC

Issue Id (internal):     OpenPKG-SI-20060906.01
Issue First Created:     2006-09-06
Issue Last Modified:     2006-12-07
Issue Revision:          06



Subject Name:            OpenSSL
Subject Summary:         Cryptography and SSL/TLS Toolkit
Subject Home:            http://www.openssl.org/
Subject Versions:        * <= 0.9.8b

Vulnerability Id:        CVE-2006-4339
Vulnerability Scope:     global (not OpenPKG specific)

Attack Feasibility:      run-time
Attack Vector:           remote network
Attack Impact:           identity fraud

Description:
    According to a vendor security advisory [0], Daniel Bleichenbacher
    described a possible attack on PKCS #1 v1.5 signatures which affects
    the cryptography and SSL/TLS toolkit OpenSSL [1].
    
    If an RSA key with exponent 3 is used it may be possible to forge
    a PKCS #1 v1.5 signature signed by that key. Implementations may
    incorrectly verify the certificate if they are not checking for excess
    data in the RSA exponentiation result of the signature. Since there
    are CAs using exponent 3 in wide use, and PKCS #1 v1.5 is used in
    X.509 certificates, all software that uses OpenSSL to verify X.509
    certificates is potentially vulnerable, as well as any other use of
    PKCS #1 v1.5. This includes software that uses OpenSSL for SSL or TLS.

References:
    [0] http://www.openssl.org/news/secadv_20060905.txt
    [1] http://www.openssl.org/



Primary Package Name:    openssl
Primary Package Home:    http://openpkg.org/go/package/openssl

Affected Distribution:   Affected Branch:  Affected Package:
OpenPKG Community        2.5-SOLID         openssl-0.9.8a-2.5.1
OpenPKG Community        2-STABLE          openssl-0.9.8b-2.20060622
OpenPKG Community        CURRENT           openssl-0.9.8b-20060505

Corrected Distribution:  Corrected Branch: Corrected Package:
OpenPKG Community        2.5-SOLID         openssl-0.9.8a-2.5.2
OpenPKG Community        2-STABLE          openssl-0.9.8c-2.20060906
OpenPKG Community        CURRENT           openssl-0.9.8c-20060905
Plain Text Version

Latest Advisories:
2007.023 perl
2007.022 bind
2007.021 wordpress
2007.020 php
2007.019 php
2007.018 freetype
2007.017 ratbox
2007.016 gd
2007.015 quagga
2007.014 bind
more...

See Also:
OpenPKG Enterprise 1
ChangeLog!

Meta: About | Imprint | Policy | Feedback | Sitemap | Search:
Validation: XHTML | CSS