GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Thu Sep 28, 2006 3:26 pm Post subject: [ GLSA 200609-18 ] Opera: RSA signature forgery |
|
|
Gentoo Linux Security Advisory
Title: Opera: RSA signature forgery (GLSA 200609-18)
Severity: normal
Exploitable: remote
Date: September 28, 2006
Bug(s): #147838
ID: 200609-18
Synopsis
Opera fails to correctly verify certain signatures.
Background
Opera is a multi-platform web browser.
Affected Packages
Package: www-client/opera
Vulnerable: < 9.02
Unaffected: >= 9.02
Architectures: All supported architectures
Description
Opera makes use of OpenSSL, which fails to correctly verify PKCS #1
v1.5 RSA signatures signed by a key with exponent 3. Some CAs in
Opera's list of trusted signers are using root certificates with
exponent 3.
Impact
An attacker could forge certificates which will appear valid and signed
by a trusted CA.
Workaround
There is no known workaround at this time.
Resolution
All Opera users should upgrade to the latest version:
Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/opera-9.02" |
References
Opera Advisory
GLSA 200609-05
Last edited by GLSA on Mon Jun 10, 2013 4:23 am; edited 2 times in total |
|