[Bug 314776] [NEW] OpenSSL signature verification API misuses
Alexander Konovalenko
alexkon at gmail.com
Wed Jan 7 16:52:27 GMT 2009
*** This bug is a security vulnerability ***
Public security bug reported:
Binary package hint: openssl
Please see the details in the oCERT advisory #2008-016:
http://www.ocert.org/advisories/ocert-2008-016.html
"Several functions inside the OpenSSL library incorrectly check the
result after calling the EVP_VerifyFinal function.
This bug allows a malformed signature to be treated as a good signature
rather than as an error. This issue affects the signature checks on DSA
and ECDSA keys used with SSL/TLS.
The flaw may be exploited by a malicious server or a man-in-the-middle
attack that presents a malformed SSL/TLS signature from a certificate
chain to a vulnerable client, bypassing validation."
This affects not only OpenSSL, but also Bind, NTP and some other
packages.
** Affects: bind9 (Ubuntu)
Importance: Undecided
Status: New
** Affects: ntp (Ubuntu)
Importance: Undecided
Status: New
** Affects: openssl (Ubuntu)
Importance: Undecided
Status: New
** Visibility changed to: Public
** Also affects: ntp (Ubuntu)
Importance: Undecided
Status: New
** Also affects: bind9 (Ubuntu)
Importance: Undecided
Status: New
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-5077
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-0021
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-0025
--
OpenSSL signature verification API misuses
https://bugs.launchpad.net/bugs/314776
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to bind9 in ubuntu.
More information about the Ubuntu-server-bugs
mailing list