Hi fellow LTS contributors I have checked this CVE and my conclusions are as follows. The CVE actually cover five different problems. I guess CVEs should not do that, but it did anyway.
Quote from upstream: Two were vulnerabilities in v3.0 involving the new RSA::SIGNATURE_RELAXED_PKCS1 mode (which doesn't exist in 2.0) Two were bugs in v3.0 involving the new RSA::SIGNATURE_RELAXED_PKCS1 mode (which again, doesn't exist in 2.0) One was a bug in v1.0, v2.0 and v3.0. The bug refers to "We have also found incompatibility issue in phpseclib v1, v2, v3 (strict mode)'s RSA PKCS#1 v1.5 signature verification suffering from rejecting valid signatures whose encoded message uses implicit hash algorithm's NULL parameter." My conclusion is that one bug can be fixed. But I do not think it is a security problem. The problem is that some signatures fail valid signatures, if they are encoded in a special way. What I have done is to mark the CVE as not-affected with a note about this. Let me know if you think my analysis is correct. I'm sending this to you all since I'm not 100% sure how to treat it. Best regards // Ola -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
