CVE-2006-4339

Impact:
Important
Public Date:
2006-09-05
Bugzilla:
430659: CVE-2006-4339 openssl signature forgery

The MITRE CVE dictionary describes this issue as:

OpenSSL before 0.9.7, 0.9.7 before 0.9.7k, and 0.9.8 before 0.9.8c, when using an RSA key with exponent 3, removes PKCS-1 padding before generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents OpenSSL from correctly verifying X.509 and other certificates that use PKCS #1.

Find out more about CVE-2006-4339 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

Vulnerable. This issue affects OpenSSL and OpenSSL compatibility packages in Red Hat Enterprise Linux 2.1, 3, and 4. Updates, along with our advisory are available at the URL below.
http://rhn.redhat.com/errata/RHSA-2006-0661.html

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux 2.1 RHSA-2007:0072 2007-01-24
Red Hat Enterprise Linux 4 RHSA-2006:0661 2006-09-06
Red Hat Satellite 5.1 (RHEL v.4 AS) (rhn-solaris-bootstrap) RHSA-2008:0629 2008-08-13
Red Hat Enterprise Linux AS version 4 Extras (java-1.4.2-ibm) RHSA-2007:0062 2007-02-07
Red Hat Enterprise Linux 2.1 RHSA-2006:0661 2006-09-06
Red Hat Satellite 5.0 (RHEL v.4 AS) (rhn-solaris-bootstrap) RHSA-2008:0264 2008-05-20
Red Hat Enterprise Linux AS version 3 Extras (java-1.4.2-ibm) RHSA-2007:0062 2007-02-07
Red Hat Enterprise Linux 3 RHSA-2006:0661 2006-09-06
Red Hat Satellite v 4.2 (RHEL v.3 AS) RHSA-2008:0525 2008-06-30
Red Hat Satellite v 4.2 (RHEL v.4 AS) RHSA-2008:0525 2008-06-30
Red Hat Enterprise Linux AS version 4 Extras (java-1.5.0-ibm) RHSA-2007:0073 2007-02-09

Affected Packages State

Platform Package State
Red Hat Satellite 5.0 Server Affected
Unless explicitly stated as not affected, all previous versions of packages in any minor update stream of a product listed here should be assumed vulnerable, although may not have been subject to full analysis.
Last Modified

CVE description copyright © 2017, The MITRE Corporation