|Summary:||dev-libs/openssl RSA Signature Forgery (CVE-2006-4339)|
|Product:||Gentoo Security||Reporter:||Sune Kloppenborg Jeppesen <jaervosz>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||normal||CC:||bernd, bolke, chainsaw, chazefroy, tcort|
|Whiteboard:||A3? [glsa] jaervosz|
|Package list:||Runtime testing required:||---|
|Bug Depends on:|
Description Sune Kloppenborg Jeppesen 2006-09-05 05:17:08 UTC
OpenSSL Security Advisory [5th September 2006] RSA Signature Forgery (CVE-2006-4339) ===================================== Vulnerability ------------- Daniel Bleichenbacher recently described an attack on PKCS #1 v1.5 signatures. If an RSA key with exponent 3 is used it may be possible to forge a PKCS #1 v1.5 signature signed by that key. Implementations may incorrectly verify the certificate if they are not checking for excess data in the RSA exponentiation result of the signature. Since there are CAs using exponent 3 in wide use, and PKCS #1 v1.5 is used in X.509 certificates, all software that uses OpenSSL to verify X.509 certificates is potentially vulnerable, as well as any other use of PKCS #1 v1.5. This includes software that uses OpenSSL for SSL or TLS. OpenSSL versions up to 0.9.7j and 0.9.8b are affected. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2006-4339 to this issue. Recommendations --------------- There are multiple ways to avoid this vulnerability. Any one of the following measures is sufficient. 1. Upgrade the OpenSSL server software. The vulnerability is resolved in the following versions of OpenSSL: - in the 0.9.7 branch, version 0.9.7k (or later); - in the 0.9.8 branch, version 0.9.8c (or later). OpenSSL 0.9.8c and OpenSSL 0.9.7k are available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): o http://www.openssl.org/source/ o ftp://ftp.openssl.org/source/ The distribution file names are: o openssl-0.9.8c.tar.gz MD5 checksum: 78454bec556bcb4c45129428a766c886 SHA1 checksum: d0798e5c7c4509d96224136198fa44f7f90e001d o openssl-0.9.7k.tar.gz MD5 checksum: be6bba1d67b26eabb48cf1774925416f SHA1 checksum: 90056b8f5e518edc9f74f66784fbdcfd9b784dd2 The checksums were calculated using the following commands: openssl md5 openssl-0.9*.tar.gz openssl sha1 openssl-0.9*.tar.gz 2. If this version upgrade is not an option at the present time, alternatively the following patch may be applied to the OpenSSL source code to resolve the problem. The patch is compatible with the 0.9.7, 0.9.8, and 0.9.9 branches of OpenSSL. o http://www.openssl.org/news/patch-CVE-2006-4339.txt Whether you choose to upgrade to a new version or to apply the patch, make sure to recompile any applications statically linked to OpenSSL libraries. Acknowledgements ---------------- The OpenSSL team thank Philip Mackenzie, Marius Schilder, Jason Waddle and Ben Laurie, of Google Security, who successfully forged various certificates, showing OpenSSL was vulnerable, and provided the patch to fix the problems. References ---------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339 URL for this Security Advisory: http://www.openssl.org/news/secadv_20060905.txt
Comment 1 Sune Kloppenborg Jeppesen 2006-09-05 05:18:36 UTC
base-system please advise.
Comment 2 SpanKY 2006-09-05 08:10:44 UTC
both versions now in portage
Comment 3 Sune Kloppenborg Jeppesen 2006-09-05 09:07:10 UTC
Arches please test and mark stable.
Comment 4 Joe Jezak (RETIRED) 2006-09-05 09:32:47 UTC
Marked ppc stable.
Comment 5 Mike Doty (RETIRED) 2006-09-05 09:55:44 UTC
amd64 stable, w00t w00t
Comment 6 Jason Wever (RETIRED) 2006-09-05 10:41:29 UTC
openssl-0.9.7k stable on sparc.
Comment 7 Markus Rothe (RETIRED) 2006-09-05 11:15:33 UTC
0.9.8c stable on ppc64
Comment 8 Thomas Cort (RETIRED) 2006-09-05 12:21:22 UTC
Comment 9 Joshua Jackson (RETIRED) 2006-09-05 20:55:34 UTC
x86 stable. ^.^
Comment 10 Joshua Jackson (RETIRED) 2006-09-05 20:56:14 UTC
removing x86 as I forgot.
Comment 11 Sune Kloppenborg Jeppesen 2006-09-06 07:49:04 UTC
*** Bug 146557 has been marked as a duplicate of this bug. ***
Comment 12 Sebastian 2006-09-06 09:46:07 UTC
Hi all, since the update I can't use https/sasl anymore. You can read the full story here: http://forums.gentoo.org/viewtopic-t-495860.html I reemerged dev-libs/openssl-0.9.7j with above patch applied and now it works again. I hope this just happens on my box. :-) S.
Comment 13 Wolf Giesen (RETIRED) 2006-09-06 13:02:15 UTC
No, it doesn't. I got hosed, too. Still checking the details :/
Comment 14 Raphael Marichez (Falco) (RETIRED) 2006-09-07 11:35:23 UTC
> No, it doesn't. I got hosed, too. Still checking the details :/ > https works nicefully here (x86) NB HPPA: we're just waiting for you before issuing the GLSA. Something wrong ?
Comment 15 Wolf Giesen (RETIRED) 2006-09-07 12:12:42 UTC
Yeah, blooper with qca-tls. I needed 1.0-r3 (~x86, stable wouldn't compile).
Comment 16 Gustavo Zacarias (RETIRED) 2006-09-07 12:36:21 UTC
0.9.7k hppa stable.
Comment 17 Sune Kloppenborg Jeppesen 2006-09-07 21:50:15 UTC
Comment 18 Frido Ferdinand 2006-09-11 10:32:07 UTC
Hi, i'm getting some different answers from a lot of folks, so maybe someone here could advise me. If i update 0.9.7i and update to 0.9.7j, would i need to revdep-rebuild everything or are they binary compatible ?
Comment 19 SpanKY 2006-09-11 11:16:38 UTC
all 0.9.6 versions are ABI compat with each other all 0.9.7 versions are ABI compat with each other all 0.9.8 versions are ABI compat with each other etc...