A security flaw was found in the way the OpenSSL extension of the Ruby programming language (of version from the Git trunk repository after 2011-09-01 up to 2011-11-03) generated exponent value to be used for private RSA key generation (the bug caused the exponent for the generated key to be always '1'). A remote attacker could use this flaw to bypass / corrupt integrity of services, depending on strong private RSA keys generation mechanism. Relevant upstream patch: [1] http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=33633
CVE Request: [2] http://www.openwall.com/lists/oss-security/2011/11/07/7
This issue did NOT affect the versions of the ruby package, as shipped with Red Hat Enterprise Linux 4, 5, and 6, since those versions directly call RSA_generate_key(3) OpenSSL library routine for RSA key generation: [3] http://www.openssl.org/docs/crypto/RSA_generate_key.html rather than to use own, Ruby language / module based, method. -- This issue did NOT affect the versions of the ruby package, as shipped with Fedora release of 14 and 15, since those versions directly call RSA_generate_key(3) OpenSSL library routine for RSA key generation: [4] http://www.openssl.org/docs/crypto/RSA_generate_key.html rather than to use own, Ruby language / module based, method.
This was assigned the name CVE-2011-4121: http://www.openwall.com/lists/oss-security/2011/11/07/8