OpenSSL 'EVP_VerifyFinal' Function Signature Verification Vulnerability

Threat level definition

OpenSSL 'EVP_VerifyFinal' Function Signature Verification Vulnerability

References:

#2008-016 multiple OpenSSL signature verification API misuse (oCERT)
007: SECURITY FIX: January 9, 2009 (OpenBSD)
eID Homepage (Belgium)
Nortel Response to OpenSSL 'EVP_VerifyFinal' Function Signature Verification Vul (Nortel)
pfSense 1.2.2 released! (BSD Perimeter)
Release Name: 3.0.1 (cwRsync)
Release notice for Ingate Firewall 471 and Ingate SIParator 471 (Ingate)
tqsllib: Improper checking of the return value of EVP_VerifyFinal() (Kurt Roeckx)
tqsllib: OpenSSL incorrect checks for malformed signatures (Jan Lieskovsky)
[oCERT-2008-016] Multiple OpenSSL signature verification API misuses ("Will Drewry" )
FreeBSD Security Advisory FreeBSD-SA-09:02.openssl (FreeBSD Security Advisories )
007: SECURITY FIX: January 9, 2009 (OpenBSD)
An OpenSource VooDoo cIRCle - security advisory 20090123-01 (VooDoo)
ASA-2009-057 - ntp security update (RHSA-2009-0046) (Avaya)
ASA-2009-116 HPSBUX02418 SSRT090002 rev.1 - HP-UX Running OpenSSL, RemoteUnautho (Avaya)
Avaya advisory ASA-2009-038 (Avaya)
BIND Security Vulnerability - EVP_VerifyFinal() and DSA_do_verify() return check (ISC)
HPSBMA02426 SSRT090053 (HP)
OpenSSL Security Advisory [07-Jan-2009] (OpenSSL Project)
RHSA-2009:0046 ntp security update (Red Hat)
Solution 250826: Security Vulnerability in OpenSSL due to Improper Usage of Sign (Sun)

Privacy Statement
Copyright 2009, SecurityFocus