Bug 494053 (CVE-2007-6721) - CVE-2007-6721 bouncycastle: unknown vulnerability in simple RSA CMS signatures
Summary: CVE-2007-6721 bouncycastle: unknown vulnerability in simple RSA CMS signatures
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2007-6721
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-04-03 21:09 UTC by Vincent Danen
Modified: 2019-09-29 12:29 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-05-12 19:46:18 UTC


Attachments (Terms of Use)

Description Vincent Danen 2009-04-03 21:09:25 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-6721 to
the following vulnerability:

Name: CVE-2007-6721
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6721
Assigned: 20090329
Reference: MLIST:[dev-crypto] 20071109 Bouncy Castle Crypto Provider Package version 1.36 now available
Reference: URL: http://www.bouncycastle.org/devmailarchive/msg08195.html
Reference: CONFIRM: http://freshmeat.net/projects/bouncycastlecryptoapi/releases/265580
Reference: CONFIRM: http://www.bouncycastle.org/csharp/
Reference: CONFIRM: http://www.bouncycastle.org/releasenotes.html
Reference: OSVDB:50358
Reference: URL: http://www.osvdb.org/50358
Reference: OSVDB:50359
Reference: URL: http://www.osvdb.org/50359
Reference: OSVDB:50360
Reference: URL: http://www.osvdb.org/50360

The Legion of the Bouncy Castle Java Cryptography API before release 1.38 (aka
2.5.2), as used in Crypto Provider Package before 1.36, has unknown impact and
remote attack vectors related to "a Bleichenbacher vulnerability in simple RSA
CMS signatures without signed attributes."

Comment 2 Vincent Danen 2009-05-12 19:46:18 UTC
This vulnerability does not affect Fedora which ships with 1.41 and higher.

It does not affect Red Hat Satellite as it uses OpenPGP (DSA) signatures, not RSA signatures.


Note You need to log in before you can comment on or make changes to this bug.