CVE-2008-1676
First published: Mon May 05 2008(Updated: )
A flaw was found in a way Red Hat Certificate System handled Extensions in the certificate signing requests (CSR). All requested Extensions were added to issued certificate despite constraints defined in Certificate Authority (CA) profile. For example, CSR could contain Basic Constraints or Key Usage constraint that once copied to issued certificate would result in creation of subordinate CA certificate, even though CA configuration prohibits issuing of subordinate CA certificate, possibly leading to a bypass the intended security policy. Affected versions: Red Hat Certificate System 7.1, 7.2, 7.3 Netscape Certificate Management System 6.x
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Redhat Certificate System | =7.1 | |
| Redhat Certificate System | =7.2 | |
| Redhat Certificate System | =7.3 | |
| Netscape Certificate Management System | <=6.2 | |
| Netscape Certificate Management System | =6.0 | |
| Netscape Certificate Management System | =6.01 | |
| Netscape Certificate Management System | =6.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=445227
- http://rhn.redhat.com/errata/RHSA-2008-0500.html
- http://rhn.redhat.com/errata/RHSA-2008-0577.html
- http://www.securityfocus.com/bid/30062
- http://secunia.com/advisories/30929
- http://www.securitytracker.com/id?1020427
- https://exchange.xforce.ibmcloud.com/vulnerabilities/43573
- https://access.redhat.com/security/cve/CVE-2002-0970
- https://access.redhat.com/security/cve/CVE-2002-0862
- collector/nvd-historical
- collector/nvd-index
- agent/type
- agent/remedy
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/severity
- agent/references
- agent/last-modified-date
- agent/weakness
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2008-1676
- agent/tags
- agent/event
- agent/trending
- vendor/redhat
- canonical/redhat certificate system
- version/redhat certificate system/7.1
- version/redhat certificate system/7.2
- version/redhat certificate system/7.3
- vendor/netscape
- canonical/netscape certificate management system
- version/netscape certificate management system/6.2
- version/netscape certificate management system/6.0
- version/netscape certificate management system/6.01
- version/netscape certificate management system/6.1