openssl vulnerable?

Support for security such as Firewalls and securing linux
Post Reply
redesb
Posts: 1
Joined: 2006/09/17 01:05:05

openssl vulnerable?

Post by redesb » 2006/09/17 01:26:44

For now many webservers are in danger, new bug had been discovered in OpenSSL that makes it possible to exploit some certificates and login as root without a password.

[quote]Vulnerability
-------------

Daniel Bleichenbacher recently described an attack on PKCS #1 v1.5 signatures. If an RSA key with exponent 3 is used it may be possible to forge a PKCS #1 v1.5 signature signed by that key. Implementations may incorrectly verify the certificate if they are not checking for excess data in the RSA exponentiation result of the signature.

Since there are CAs using exponent 3 in wide use, and PKCS #1 v1.5 is used in X.509 certificates, all software that uses OpenSSL to verify X.509 certificates is potentially vulnerable, as well as any other use of PKCS #1 v1.5. This includes software that uses OpenSSL for SSL or TLS.

OpenSSL versions up to 0.9.7j and 0.9.8b are affected.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2006-4339 to this issue.[/quote]
You can read the complete text [url=http://www.openssl.org/news/secadv_20060905.txt]here[/url].

Latest CentOS 4.4 have openssl-0.9.7a-43.11 version. [b]Are CentOS 4.4 vulnerable?[/b]

gihrig
Posts: 2
Joined: 2006/09/09 23:00:24

openssl vulnerable?

Post by gihrig » 2006/09/22 23:46:01

[quote]Latest CentOS 4.4 have openssl-0.9.7a-43.11 version. Are CentOS 4.4 vulnerable?[/quote]

No, CentOS is not vulnerable, when updated to openssl-0.9.7a-43.11.

As I understand it, the version tail -43.11 indicates the patch level applied by RH to fix problems with distributed versions. This is how they maintain compatiblity with existing installations while maintaining security. This is what an "Enterprise OS" is all about.

seel [url=http://rhn.redhat.com/errata/RHSA-2006-0661.html]http://rhn.redhat.com/errata/RHSA-2006-0661.html[/url]

Post Reply

Return to “CentOS 4 - Security Support”