PYSEC-2016-10

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/rsa/PYSEC-2016-10.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2016-10

Aliases

CVE-2016-1494
GHSA-8rjr-6qq5-pj9p

Published

2016-01-13T15:59:00Z

Modified

2023-11-08T03:58:22.257439Z

Summary

[none]

Details

The verify function in the RSA package for Python (Python-RSA) before 3.3 allows attackers to spoof signatures with a small public exponent via crafted signature padding, aka a BERserk attack.

References

http://www.openwall.com/lists/oss-security/2016/01/05/3
http://www.openwall.com/lists/oss-security/2016/01/05/1
https://blog.filippo.io/bleichenbacher-06-signature-forgery-in-python-rsa/
https://bitbucket.org/sybren/python-rsa/pull-requests/14/security-fix-bb06-attack-in-verify-by/diff
http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175897.html
http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175942.html
http://lists.opensuse.org/opensuse-updates/2016-01/msg00032.html
http://www.securityfocus.com/bid/79829

Affected packages

PyPI / rsa

Package

Name: rsa; View open source insights on deps.dev
Purl: pkg:pypi/rsa

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.3

Affected versions

1.*

1.1

1.2

1.3

1.3.1

1.3.2

1.3.3

2.*

2.0

3.*

3.0

3.0.1

3.1

3.1.1

3.1.2

3.1.3

3.1.4

3.2

3.2.1

3.2.2

3.2.3

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/rsa/PYSEC-2016-10.yaml"