Results 1 to 8 of 8

Thread: openssl hack

  1. #1
    Join Date
    Aug 2003
    Location
    East Coast
    Posts
    2,063

    openssl hack

    Problem Description
    When verifying a PKCS#1 v1.5 signature, OpenSSL ignores any bytes which follow the cryptographic hash being signed. In a valid signature there will be no such bytes.

    III. Impact
    OpenSSL will incorrectly report some invalid signatures as valid. When an RSA public exponent of 3 is used, or more generally when a small public exponent is used with a relatively large modulus (e.g., a public exponent of 17 with a 4096-bit modulus), an attacker can construct a signature which OpenSSL will accept as a valid PKCS#1 v1.5 signature.

  2. #2
    We really need a replacement for OpenSSL. It's had more security holes than probably any other *nix software in history.

  3. #3
    Join Date
    Aug 2003
    Location
    East Coast
    Posts
    2,063
    We also need some way to notify people when something like this comes out..

    I came here and could not believe that it had not been reported yet here...

    it would be nice to setup some type of email subscription based on control panel type / os version...

  4. #4
    Join Date
    Aug 2003
    Location
    East Coast
    Posts
    2,063
    For more information on this issue goto: http://www.openssl.org/news/secadv_20060905.txt

  5. #5
    Join Date
    Apr 2004
    Location
    San Jose
    Posts
    902
    Put yourself on the FreeBSD security mailing list. I usually see things here quite speedily: http://lists.freebsd.org/mailman/lis...-notifications
    Specializing in MySQL and website tuning for high traffic sites. cmwsci.com/

  6. #6
    Join Date
    Aug 2003
    Location
    East Coast
    Posts
    2,063
    I am on the list, I just thought it would be nice to have webhost specific security announcement system..

  7. #7
    My OpenSSL auto-updated last night

  8. #8
    Join Date
    Jan 2002
    Posts
    269
    I wonder why CentOS still hasn't released openssl-0.9.7a-43.11 for CentOS 4 i386. They released updates for all other platforms.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •