mailing list archives
CVE Request -- Ruby (OpenSSL extension) -- Insecure way of creation exponent value by private RSA key generation
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Mon, 07 Nov 2011 16:55:18 +0100
Hello Kurt, Steve, vendors,
a security flaw was found in the way the OpenSSL extension of the
Ruby programming language (of version from the Git trunk repository
after 2011-09-01 up to 2011-11-03) generated exponent value to be used
for private RSA key generation (the bug caused the exponent for the
generated key to be always '1'). A remote attacker could use this flaw
to bypass / corrupt integrity of services, depending on strong private
RSA keys generation mechanism.
Relevant upstream patch:
Could you allocate a CVE id for this?
Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team
- CVE Request -- Ruby (OpenSSL extension) -- Insecure way of creation exponent value by private RSA key generation Jan Lieskovsky (Nov 07)