Security Vulnerability in OpenSSL due to Improper Usage of Signature
I want you to advise of a security vulnerability in OpenSSL. As Solaris contains OpenSSL (beginning with Solaris 10), Solaris 10 and Opensolaris are vulnerable to the CVE 2008-5077 :
An insufficient validation security vulnerability in OpenSSL may allow a malformed signature to be treated as a good signature rather than as an error. This issue affects the signature checks on DSA keys used with SSL/TLS. This vulnerability may allow a remote user who is in control of a rogue server or who can use a "man-in-the-middle attack" to masquerade as a valid, legitimate server using malformed SSL certificates.
This affects not only Solaris, it affects all systems using openssl 0.9.8i and earlier. You find further informations for Solaris in the SunAlert document #25082. For other operating systems consult the corresponding security bulletins of the distributor of your operating environment. At the moment there are two T-patches for this issue: T139500-02(Solaris 10 - SPARC) and T139501-02(x86). In Opensolaris the vulnerability is resolved in the Build 107.