Bugzilla – Bug 48395
VUL-0: CVE-2003-0960: OpenCA: multiple flaws in OpenCA before version 0.9.1.4
Last modified: 2021-10-14 13:48:10 UTC
Hallo. OpenCA update version 0.9.1.4 addresses several security related flaws. http://www.openca.org/news/CAN-2003-0960.txt Olaf Kirch did a quickcheck for our version: From: Olaf Kirch <okir@suse.de> To: security-team@suse.de Date: Fri, 28 Nov 2003 14:31:57 +0100 Subject: Re: [security-team] [Full-Disclosure] [OpenCA Advisory] Vulnerabilities in signature verification (fwd) Reply-To: security-team@suse.de On Fri, Nov 28, 2003 at 02:01:29PM +0100, Roman Drahtmueller wrote: > haben wir das schon auf einem Produkt? /work/SRC/old-versions/7.2/arch/sles-i386/perl-OpenCA-CRL /work/SRC/old-versions/7.2/arch/sles-i386/perl-OpenCA-OpenSSL /work/SRC/old-versions/7.2/arch/sles-i386/perl-OpenCA-REQ /work/SRC/old-versions/7.2/arch/sles-i386/perl-OpenCA-X509 /work/SRC/old-versions/7.3/all/perl-OpenCA-CRL /work/SRC/old-versions/7.3/all/perl-OpenCA-OpenSSL /work/SRC/old-versions/7.3/all/perl-OpenCA-REQ /work/SRC/old-versions/7.3/all/perl-OpenCA-X509 /work/SRC/old-versions/8.0/all/perl-OpenCA-CRL /work/SRC/old-versions/8.0/all/perl-OpenCA-OpenSSL /work/SRC/old-versions/8.0/all/perl-OpenCA-REQ /work/SRC/old-versions/8.0/all/perl-OpenCA-X509 /work/SRC/old-versions/8.1/all/perl-OpenCA-CRL /work/SRC/old-versions/8.1/all/perl-OpenCA-OpenSSL /work/SRC/old-versions/8.1/all/perl-OpenCA-REQ /work/SRC/old-versions/8.1/all/perl-OpenCA-X509 /work/SRC/old-versions/8.2/all/perl-OpenCA-CRL /work/SRC/old-versions/8.2/all/perl-OpenCA-OpenSSL /work/SRC/old-versions/8.2/all/perl-OpenCA-REQ /work/SRC/old-versions/8.2/all/perl-OpenCA-X509 /work/SRC/old-versions/9.0/all/perl-OpenCA-CRL /work/SRC/old-versions/9.0/all/perl-OpenCA-OpenSSL /work/SRC/old-versions/9.0/all/perl-OpenCA-REQ /work/SRC/old-versions/9.0/all/perl-OpenCA-X509 > Multiple flaws in OpenCA before version 0.9.1.4 could cause OpenCA to > use an incorrect certificate in the chain to determine the serial being > checked which could lead to certificates that are revoked or expired > being incorrectly accepted. Die Versionsangabe ist etwas verwirrend. Die perl-OpenCA-* Pakete haben alle unterschiedliche Versionsnummern. Das einzige Paket mit einer 0.9er-Version ist OpenCA-OpenSSL, und das ist schon seit SuLI 8.1 in einer Version 0.9.63a vorhanden, was IMHO deutlich groesser ist als 0.9.1.4. Maintainer Uwe Gansert <ug@suse.de> Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann
<!-- SBZ_reproduce --> -
Uwe, can you check which versions need patching please. I'll provide you with the patchinfo file ASAP.
all we have are some low level perl modules from the whole OpenCA project. The bug is in the highlevel API. None of the files that are affected and patched by OpenCA Team is on our distribution. We just use the low level modules to parse certificates. I'll take a closer look but in the moment I dont expect any problems for us.
there is nothing to do for us. None of the files patched by OpenCA team: PKCS7.pm crypto-utils.lib verifySignature viewSignature is in one of our source tar.gz files. It's a bug in the web gui and the logic they provide.
Ok, thank you!
CVE-2003-0960: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)