CVE-2009-0127
First published: Sun Jan 11 2009(Updated: )
** DISPUTED ** M2Crypto does not properly check the return value from the OpenSSL EVP_VerifyFinal, DSA_verify, ECDSA_verify, DSA_do_verify, and ECDSA_do_verify functions, which might allow remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. NOTE: a Linux vendor disputes the relevance of this report to the M2Crypto product because "these functions are not used anywhere in m2crypto."
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| M2Crypto |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511515
- http://openwall.com/lists/oss-security/2009/01/12/4
- https://bugzilla.redhat.com/show_bug.cgi?id=479676
- https://access.redhat.com/security/cve/CVE-2008-5077
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=476671
- https://access.redhat.com/security/cve/CVE-2009-0127
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0127
- https://www.cve.org/CVERecord?id=CVE-2009-0127 https://nvd.nist.gov/vuln/detail/CVE-2009-0127
- https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-0127.json
Frequently Asked Questions
What is the severity of CVE-2009-0127?
CVE-2009-0127 has a moderate severity level due to the potential for certificate chain validation bypass.
How do I fix CVE-2009-0127?
To resolve CVE-2009-0127, update M2Crypto to the latest version where the vulnerability has been addressed.
What software is affected by CVE-2009-0127?
CVE-2009-0127 specifically affects M2Crypto versions that do not properly handle SSL/TLS signature verification.
What type of attack is possible with CVE-2009-0127?
CVE-2009-0127 may allow remote attackers to bypass validation of the certificate chain using malformed SSL/TLS signatures.
Is CVE-2009-0127 a zero-day vulnerability?
CVE-2009-0127 was publicly reported in January 2009 and is not classified as a zero-day vulnerability.
- agent/author
- agent/type
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2009-0127
- collector/redhat-cve
- agent/references
- agent/weakness
- agent/severity
- agent/status
- agent/softwarecombine
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-historical
- collector/nvd-index
- vendor/heikkitoivonen
- canonical/m2crypto
- status/disputed