Bug 1328022 (CVE-2016-0695)
| Summary: | CVE-2016-0695 OpenJDK: insufficient DSA key parameters checks (Security, 8138593) | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | dbhole, jvanek, security-response-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
It was discovered that the Security component in OpenJDK failed to check the digest algorithm strength when generating DSA signatures. The use of a digest weaker than the key strength could lead to the generation of signatures that were weaker than expected.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-05-09 14:41:25 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1324915 | ||
|
Description
Tomas Hoger
2016-04-18 08:56:53 UTC
Related note in Oracle JDK release notes: DSA signature generation is now subject to a key strength check For signature generation, if the security strength of the digest algorithm is weaker than the security strength of the key used to sign the signature (e.g. using (2048, 256)-bit DSA keys with SHA1withDSA signature), the operation will fail with the error message: "The security strength of SHA1 digest algorithm is not sufficient for this key size." JDK-8138593 (not public) http://www.oracle.com/technetwork/java/javase/8u91-relnotes-2949462.html http://www.oracle.com/technetwork/java/javaseproducts/documentation/javase7supportreleasenotes-1601161.html#R170_101 http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html#R160_115 Public now via Oracle Critical Patch Update - April 2016. Fixed in Oracle Java SE 6u115, 7u101, and 8u91. External References: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html#AppendixJAVA This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:0651 https://rhn.redhat.com/errata/RHSA-2016-0651.html This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:0650 https://rhn.redhat.com/errata/RHSA-2016-0650.html This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 7 Via RHSA-2016:0676 https://rhn.redhat.com/errata/RHSA-2016-0676.html This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2016:0677 https://rhn.redhat.com/errata/RHSA-2016-0677.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:0675 https://rhn.redhat.com/errata/RHSA-2016-0675.html This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 7 Oracle Java for Red Hat Enterprise Linux 5 Oracle Java for Red Hat Enterprise Linux 6 Via RHSA-2016:0679 https://rhn.redhat.com/errata/RHSA-2016-0679.html This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 5 Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2016:0678 https://rhn.redhat.com/errata/RHSA-2016-0678.html OpenJDK8 upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/594e8dca337c This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2016:0723 https://rhn.redhat.com/errata/RHSA-2016-0723.html |