Common Vulnerabilities and Exposures assigned an identifier CVE-2007-6721 to the following vulnerability: Name: CVE-2007-6721 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6721 Assigned: 20090329 Reference: MLIST:[dev-crypto] 20071109 Bouncy Castle Crypto Provider Package version 1.36 now available Reference: URL: http://www.bouncycastle.org/devmailarchive/msg08195.html Reference: CONFIRM: http://freshmeat.net/projects/bouncycastlecryptoapi/releases/265580 Reference: CONFIRM: http://www.bouncycastle.org/csharp/ Reference: CONFIRM: http://www.bouncycastle.org/releasenotes.html Reference: OSVDB:50358 Reference: URL: http://www.osvdb.org/50358 Reference: OSVDB:50359 Reference: URL: http://www.osvdb.org/50359 Reference: OSVDB:50360 Reference: URL: http://www.osvdb.org/50360 The Legion of the Bouncy Castle Java Cryptography API before release 1.38 (aka 2.5.2), as used in Crypto Provider Package before 1.36, has unknown impact and remote attack vectors related to "a Bleichenbacher vulnerability in simple RSA CMS signatures without signed attributes."
Relevant cvs commit: http://www.bouncycastle.org/viewcvs/viewcvs.cgi/java/crypto/src/org/bouncycastle/cms/SignerInformation.java.diff?r2=1.14&r1=1.13&diff_format=u
This vulnerability does not affect Fedora which ships with 1.41 and higher. It does not affect Red Hat Satellite as it uses OpenPGP (DSA) signatures, not RSA signatures.