CVE-2006-2940
openssl096
EPSS 2.9%
Description
OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows attackers to cause a denial of service (CPU consumption) via parasitic public keys with large (1) "public exponent" or (2) "public modulus" values in X.509 certificates that require extra time to process when using RSA signature verification.
How to fix CVE-2006-2940
To remediate CVE-2006-2940, upgrade the affected package to a fixed version below.
- Debian/openssl—upgrade to 0.9.8c-2 or later
- Debian/openssl096—upgrade to 0.9.6m-1sarge4 or later
Is CVE-2006-2940 being exploited?
Low — EPSS is 2.9%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 0.9.8c-2
- from 0, < 0.9.6m-1sarge4