Slashdot Mirror


OpenSSL Hit by Forgery Bug

Daniel Cray writes to tell us ZDNet is reporting that OpenSSL versions up to 0.9.7j and 0.9.8b are vulnerable to a signature forgery technique. OpenSSL has already released an update fixing the problem. From the article: "The flaw only affects a particular type of signature — PKCS #1 v1.5 signatures — but these are used by some certificate authorities... The signature forgery technique was first demonstrated last month at the Crypto 2006 conference by Daniel Bleichenbacher, a cryptographer with Bell Labs, according to security firm Netcraft. OpenSSL credited Google Security with successfully forging various certificates and providing the fix."

2 of 69 comments (clear)

  1. The advantages of using Debian... by kcbrown · · Score: -1, Redundant

    This one is already fixed in Debian's openssl version 0.9.8b-3 in -testing (-unstable now has 0.9.8c-1), and 0.9.7e-3sarge2 in -stable-security.

    This is one of the reasons I run Debian. Important things like this get fixed quickly and updating is painless, thanks to apt-get.

    I expect that Ubuntu is similarly responsive. I know that it's just as easy to keep updated, since they use the same packaging and dependency-tracking mechanisms.

    --
    Use 'slashdot stuff' in the subject line in any email you send me if you want to get past the spam filter.
  2. apt-get => sleeping tight. by Anonymous Coward · · Score: -1, Redundant

    Get:1 http://ftp.debian.org/ unstable/main libssl0.9.7 0.9.7k-1 [2279kB]