Bug 494053 (CVE-2007-6721)

Summary: CVE-2007-6721 bouncycastle: unknown vulnerability in simple RSA CMS signatures
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: low    
Version: unspecifiedCC: bressers, langel
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-05-12 19:46:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vincent Danen 2009-04-03 21:09:25 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-6721 to
the following vulnerability:

Name: CVE-2007-6721
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6721
Assigned: 20090329
Reference: MLIST:[dev-crypto] 20071109 Bouncy Castle Crypto Provider Package version 1.36 now available
Reference: URL: http://www.bouncycastle.org/devmailarchive/msg08195.html
Reference: CONFIRM: http://freshmeat.net/projects/bouncycastlecryptoapi/releases/265580
Reference: CONFIRM: http://www.bouncycastle.org/csharp/
Reference: CONFIRM: http://www.bouncycastle.org/releasenotes.html
Reference: OSVDB:50358
Reference: URL: http://www.osvdb.org/50358
Reference: OSVDB:50359
Reference: URL: http://www.osvdb.org/50359
Reference: OSVDB:50360
Reference: URL: http://www.osvdb.org/50360

The Legion of the Bouncy Castle Java Cryptography API before release 1.38 (aka
2.5.2), as used in Crypto Provider Package before 1.36, has unknown impact and
remote attack vectors related to "a Bleichenbacher vulnerability in simple RSA
CMS signatures without signed attributes."
Comment 1 Vincent Danen 2009-04-03 21:23:26 UTC 
Relevant cvs commit:

http://www.bouncycastle.org/viewcvs/viewcvs.cgi/java/crypto/src/org/bouncycastle/cms/SignerInformation.java.diff?r2=1.14&r1=1.13&diff_format=u
Comment 2 Vincent Danen 2009-05-12 19:46:18 UTC 
This vulnerability does not affect Fedora which ships with 1.41 and higher.

It does not affect Red Hat Satellite as it uses OpenPGP (DSA) signatures, not RSA signatures.