Date: Mon, 07 Nov 2011 16:55:18 +0100 From: Jan Lieskovsky <jlieskov@...hat.com> To: "Steven M. Christey" <coley@...us.mitre.org> CC: oss-security@...ts.openwall.com Subject: CVE Request -- Ruby (OpenSSL extension) -- Insecure way of creation exponent value by private RSA key generation Hello Kurt, Steve, vendors, a security flaw was found in the way the OpenSSL extension of the Ruby programming language (of version from the Git trunk repository after 2011-09-01 up to 2011-11-03) generated exponent value to be used for private RSA key generation (the bug caused the exponent for the generated key to be always '1'). A remote attacker could use this flaw to bypass / corrupt integrity of services, depending on strong private RSA keys generation mechanism. Relevant upstream patch:  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=33633 References:  https://bugzilla.redhat.com/show_bug.cgi?id=751800 Could you allocate a CVE id for this? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.