oss-sec mailing list archives
Re: CVE request for saltstack
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 13 Aug 2015 11:36:10 -0600
Ahh to funny. Someone pointed out the commit to me and I didn't even think to check if it got a CVE in the past. Please ignore my pre lunch shenanigans. On Thu, Aug 13, 2015 at 11:25 AM, Solar Designer <solar () openwall com> wrote:
On Thu, Aug 13, 2015 at 11:06:10AM -0600, Kurt Seifried wrote:So someone pointed this out to me:https://github.com/saltstack/salt/commit/e8ce66cf688b43aeb3e716e78b1af3a08e9940e3priv = '{0}.pem'.format(base) pub = '{0}.pub'.format(base) - gen = RSA.gen_key(keysize, 1, callback=lambda x, y, z: None) + gen = RSA.gen_key(keysize, 65537, callback=lambda x, y, z: None) cumask = os.umask(191) gen.save_key(priv, None) os.umask(cumask) This is using the M2Crypto.RSA. TL;DR: doing RSA crypto with a public exponent value of "1" makes crypto very fast. Fast is not always good. Can we get a CVE for this please?Duplicate CVE request, with wrong rationale this time (hilarious, though)? http://www.openwall.com/lists/oss-security/2013/07/01/1 https://github.com/saltstack/salt/commit/5dd304276ba5745ec21fc1e6686a0b28da29e6fc http://stackoverflow.com/questions/17490282/why-is-this-commit-that-sets-the-rsa-public-exponent-to-1-problematic https://news.ycombinator.com/item?id=5993959 Alexander
-- -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert () redhat com
Current thread:
- CVE request for saltstack Kurt Seifried (Aug 13)
- Re: CVE request for saltstack Solar Designer (Aug 13)
- Re: CVE request for saltstack Kurt Seifried (Aug 13)
- Re: CVE request for saltstack Solar Designer (Aug 13)