Note: This is an archival copy of Security Sun Alert 201260 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000943.1.
Solaris 10 Operating System
Date of Resolved Release
The GnuTLS library version prior to 1.4.4 is impacted by an RSA signature forgery vulnerability. This vulnerability, which affects applications which make use of the GnuTLS library to verify PKCS#1 signatures, allows a malicious user to make an altered PKCS#1 v1.5 signature appear to be correct thus forging the signature.
This issue is described in the following documents:
The issue described in this Sun Alert is specific to the GnuTLS library. Multiple Sun products are affected by this issue. For more details please see Sun Alert 102648 at:
Note: Evolution uses the GnuTLS library and is impacted by this issue.
This issue can occur in the following releases:
Note 1: Solaris 8 and Solaris 9 are not impacted by this issue.
Note 2: This issue only impacts systems with SUNWgnutls installed. To determine if this package is installed run the following command:
$ pkginfo SUNWgnutls EVO146 SUNWgnutls GNU Transport Layer Security Library
Note 3: This issue only affects the GnuTLS library versions prior to 1.4.4. To determine the version of the GnuTLS library on the system the following command can be run:
$ pkginfo -l SUNWgnutls | grep VERSION VERSION: 0.9.5,REV=10.0.3.200126.96.36.199.59
Note 4: The Solaris 10 patches which address this issue do not increment the version of GnuTLS. The version of GnuTLS supplied with the patches will still be reported as 0.9.5.
There are no predictable symptoms that would indicate the described issue has been exploited.
There is no workaround for this issue.
This issue is addressed in the following releases:
This solution has no attachment