Bug 494053 - (CVE-2007-6721) CVE-2007-6721 bouncycastle: unknown vulnerability in simple RSA CMS signatures
CVE-2007-6721 bouncycastle: unknown vulnerability in simple RSA CMS signatures
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On:
  Show dependency treegraph
Reported: 2009-04-03 17:09 EDT by Vincent Danen
Modified: 2009-05-12 15:46 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-05-12 15:46:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2009-04-03 17:09:25 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-6721 to
the following vulnerability:

Name: CVE-2007-6721
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6721
Assigned: 20090329
Reference: MLIST:[dev-crypto] 20071109 Bouncy Castle Crypto Provider Package version 1.36 now available
Reference: URL: http://www.bouncycastle.org/devmailarchive/msg08195.html
Reference: CONFIRM: http://freshmeat.net/projects/bouncycastlecryptoapi/releases/265580
Reference: CONFIRM: http://www.bouncycastle.org/csharp/
Reference: CONFIRM: http://www.bouncycastle.org/releasenotes.html
Reference: OSVDB:50358
Reference: URL: http://www.osvdb.org/50358
Reference: OSVDB:50359
Reference: URL: http://www.osvdb.org/50359
Reference: OSVDB:50360
Reference: URL: http://www.osvdb.org/50360

The Legion of the Bouncy Castle Java Cryptography API before release 1.38 (aka
2.5.2), as used in Crypto Provider Package before 1.36, has unknown impact and
remote attack vectors related to "a Bleichenbacher vulnerability in simple RSA
CMS signatures without signed attributes."
Comment 2 Vincent Danen 2009-05-12 15:46:18 EDT
This vulnerability does not affect Fedora which ships with 1.41 and higher.

It does not affect Red Hat Satellite as it uses OpenPGP (DSA) signatures, not RSA signatures.

Note You need to log in before you can comment on or make changes to this bug.