RSA on "Receiving a RSA signature verification and other fixes"

Tue, 28 Nov 2006 14:24:53 -0800

FYI _Vin

From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: Receiving a RSA signature verification and other fixes
Date: Tue, 28 Nov 2006 09:06:53 -0500

<snip> <snip>

Dear RSA SecurCare Online Customer:

There have been news reports of three vulnerabilities in certain implementations of RSA signature verification and the SSL protocol family (SSL v2, SSL v3, and TLS v1) as follows:

•       Vulnerability VU#845620 ­ Multiple RSA implementations fail to properly handle signature verification, which may allow an attacker to forge RSA signature (details posted on the US-Computer Emergency Readiness Team (US-CERT) site at http://www.kb.cert.org/vuls/id/845620)

•       Vulnerability VU#547300 - OpenSSL SSL_get_shared_ciphers () vulnerable to buffer overflow, which may allow an attacker to execute code on an affected system (details posted at http://www.kb.cert.org/vuls/id/547300)

•       Vulnerability VU#386964 - OpenSSL sslv2 client code fails to properly check for NULL, which may allow an attacker to cause a denial of service (details posted at http://www.kb.cert.org/vuls/id/386964)


Below are measures you can take to limit your exposure to these vulnerabilities:

As VU#845620 affects many RSA BSAFE products, RSA strongly recommends upgrading applications with the following new versions which include the remediation for this vulnerability:

•       Micro Edition Suite 2.2
•       Crypto-C 6.3.1
•       Cert-C 2.8
•       SSL-C 2.7.1

Note: If you are using the FIPS 140 cryptography support in SSL-C, please wait to upgrade to SSL-C 2.8 (to be launched in late Dec), as version 2.8 will offer support for FIPS 140 cryptography, functionality unavailable in SSL-C 2.7.1


As VU#547300 affects products with SSL functionality, RSA recommends upgrading applications with the following new versions which include the remediation for this vulnerability:

•       Micro Edition Suite 2.2
•       SSL-C 2.7.1

Note: If you are using the FIPS 140 cryptography support in SSL-C, please wait to upgrade to SSL-C 2.8 (to be launched in late Dec), as version 2.8 will offer support for FIPS 140 cryptography, functionality unavailable in SSL-C 2.7.1


As VU#386964 affects products with SSL v2 functionality, RSA recommends upgrading applications with the following new version which includes the remediation for this vulnerability:

•       SSL-C 2.7.1

Note: If you are using the FIPS 140 cryptography support in SSL-C, please wait to upgrade to SSL-C 2.8 (to be launched in late Dec), as version 2.8 will offer support for FIPS 140 cryptography, functionality unavailable in SSL-C 2.7.1


As an additional preventive measure, RSA recommends ensuring applications do not using the SSLv2 protocol.  Our Support team will be happy to walk you through specific steps to confirm you are not using the SSLv2 protocol inadvertently.     


Getting Support and Service:

For customers with current maintenance contracts, please contact your local RSA Customer Support department with any additional questions regarding this RSA SecurCare Note. Contact phone numbers can be found on RSA’s web site at http://www.rsasecurity.com/node.asp?id=1068 .

 
General Customer Support Information:

http://www.rsasecurity.com/node.asp?id=1067


RSA SecurCare Online:

https://knowledge.rsasecurity.com


<snip> <snip>

Sincerely,
RSA Customer Support



------------------------------------------------------------
   Vin McLellan + The Privacy Guild +
<[EMAIL PROTECTED]->
         22 Beacon St., Chelsea,
MA 02150-2672 USA






______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to