Joined: 12 May 2004
|Posted: Thu Sep 28, 2006 3:26 pm Post subject: [ GLSA 200609-18 ] Opera: RSA signature forgery
|Gentoo Linux Security Advisory
Title: Opera: RSA signature forgery (GLSA 200609-18)
Date: September 28, 2006
Opera fails to correctly verify certain signatures.
Opera is a multi-platform web browser.
Vulnerable: < 9.02
Unaffected: >= 9.02
Architectures: All supported architectures
Opera makes use of OpenSSL, which fails to correctly verify PKCS #1 v1.5 RSA signatures signed by a key with exponent 3. Some CAs in Opera's list of trusted signers are using root certificates with exponent 3.
An attacker could forge certificates which will appear valid and signed by a trusted CA.
There is no known workaround at this time.
All Opera users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/opera-9.02"
Last edited by GLSA on Fri Sep 29, 2006 4:18 am; edited 1 time in total