897954 – (CVE-2005-2946) VUL-0: CVE-2005-2946: openssl: default hashing method is unsecure

Bug 897954 (CVE-2005-2946) - VUL-0: CVE-2005-2946: openssl: default hashing method is unsecure

Summary: VUL-0: CVE-2005-2946: openssl: default hashing method is unsecure

Status:	RESOLVED UPSTREAM

Alias:	CVE-2005-2946

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P5 - None Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2014-09-23 11:46 UTC by Marcus Meissner
Modified:	2014-09-23 11:51 UTC (History)
CC List:	0 users

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2014-09-23 11:46:58 UTC

via CVE db

The default configuration on OpenSSL before 0.9.8 uses MD5 for creating message digests instead of a more cryptographically strong algorithm, which makes it easier for remote attackers to forge certificates with a valid certificate authority signature.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2946

Comment 1 Marcus Meissner 2014-09-23 11:49:37 UTC

"before openssl 0.9.8", so does not affect SUSE Linux Enterprise 11 or newer.

Comment 2 Marcus Meissner 2014-09-23 11:49:53 UTC

https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/19835

Comment 3 Marcus Meissner 2014-09-23 11:51:11 UTC

sles10 has openssl 0.9.8a, so is also not affected.

/etc/ssl/openssl.cnf line:

default_md      = sha1                  # which md to use.