CVE-2006-2940

Name of the Vulnerable Software and Affected Versions: OpenSSL versions 0.9.7 through 0.9.7l OpenSSL versions 0.9.8 through 0.9.8d OpenSSL versions prior to 0.9.8d

Description: The issue allows attackers to cause a denial of service via parasitic public keys with large public exponent or public modulus values in X.509 certificates. This requires extra time to process when using RSA signature verification. Multiple vulnerabilities in the OpenSSL package can lead to violations of confidentiality, integrity, and availability of protected information. Exploitation of these vulnerabilities can be done remotely, potentially allowing an attacker to cause a denial of service or gain access to encrypted data without knowing the encryption key.

Recommendations: For OpenSSL versions 0.9.7 through 0.9.7l, update to version 0.9.7l or later. For OpenSSL versions 0.9.8 through 0.9.8d, update to version 0.9.8d or later. For all versions prior to 0.9.8d, update to version 0.9.8d or later. As a temporary workaround, consider restricting the use of RSA signature verification with X.509 certificates to minimize the risk of exploitation.