OpenSSL-Patch for CVE-2006-4339

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenSSL-Patch for CVE-2006-4339

Sebastian Rother
I wrote it once but I4ll write it twice.
It would be very neat if somebody would be able to

a) tell me if this is fixed or NOT (it does NOT look like fixed btw)
b) move and commit that patch.

Maybe now this mail will get noticed.
Thanks...

------------------------------------------------
From a announce-Mail:

*snip*
OpenSSL Security Advisory [5th September 2006]

RSA Signature Forgery (CVE-2006-4339)
=====================================
Vulnerability
-------------

Daniel Bleichenbacher recently described an attack on PKCS #1 v1.5
signatures. If an RSA key with exponent 3 is used it may be possible
to forge a PKCS #1 v1.5 signature signed by that key. Implementations
may incorrectly verify the certificate if they are not checking for
excess data in the RSA exponentiation result of the signature.

Since there are CAs using exponent 3 in wide use, and PKCS #1 v1.5 is
used in X.509 certificates, all software that uses OpenSSL to verify
X.509 certificates is potentially vulnerable, as well as any other use
of PKCS #1 v1.5. This includes software that uses OpenSSL for SSL or
TLS.

OpenSSL versions up to 0.9.7j and 0.9.8b are affected.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2006-4339 to this issue.

*snip*

I don`t think OpenBSD wnana include the latest 0.9.7-Version (0.9.7k) so a
Patch can be found here:

http://www.openssl.org/news/patch-CVE-2006-4339.txt

-----------------------------------------------------------------------

Kind regards,
Sebastian

Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL-Patch for CVE-2006-4339

Ted Unangst-2
On 9/8/06, Sebastian Rother <[hidden email]> wrote:
> I wrote it once but I4ll write it twice.
> It would be very neat if somebody would be able to
>
> a) tell me if this is fixed or NOT (it does NOT look like fixed btw)
> b) move and commit that patch.

it will be.  if you've been paying attention, you'll notice the patch
has changed twice already, so applying every patch the minute it comes
out turns out to be not so fun.

> http://www.openssl.org/news/patch-CVE-2006-4339.txt

Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL-Patch for CVE-2006-4339

Norbert P. Copones
In reply to this post by Sebastian Rother
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/crypto/rsa/rsa_sign.c

On Sat, September 9, 2006 5:19 am, Sebastian Rother wrote:
> I wrote it once but I4ll write it twice.
> It would be very neat if somebody would be able to
>
> a) tell me if this is fixed or NOT (it does NOT look like fixed btw)
> b) move and commit that patch.