Marius Schilder

Name of the Vulnerable Software and Affected Versions: OpenSSL versions 0.9.7 through 0.9.7j OpenSSL versions 0.9.8 through 0.9.8b Description: The issue allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by an RSA key with exponent 3, preventing OpenSSL from correctly verifying X.509 and other certificates that use PKCS #1. This could lead to unauthorized access to certificate-protected resources. The vulnerability affects PKCS #1 v1.5 signatures if the exponent of the public key is 3, which is widely used by Certificate Authorities. An attacker will likely exploit this vulnerability to forge signatures without the secret key. Recommendations: For OpenSSL versions 0.9.7 through 0.9.7j, update to version 0.9.7k or later. For OpenSSL versions 0.9.8 through 0.9.8b, update to version 0.9.8c or later. As a temporary workaround, consider restricting the use of RSA keys with exponent 3 until a patch is available.

**Name of the Vulnerable Software and Affected Versions** libnspr4 versions (affected versions not specified) libnss3 versions (affected versions not specified) nss versions prior to 3.11.3 libnspr-dev versions (affected versions not specified) libnss-dev versions (affected versions not specified) **Description** The issue concerns multiple vulnerabilities in various packages of Debian GNU/Linux and Gentoo Linux operating systems. These vulnerabilities can be exploited remotely, potentially leading to breaches of confidentiality, integrity, and availability of protected information. **Recommendations** For libnspr4, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For libnss3, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For nss, update to version 3.11.3 or later to resolve the issue. For libnspr-dev, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For libnss-dev, at the moment, there is no information about a newer version that contains a fix for this vulnerability.