Ben Bucksch wrote:
> Bob Relyea wrote:
>
>> Ben Bucksch wrote:
>>
>>> Does PSM do that and when, i.e. is PSM affected?
>>
>>
>> The PSM binary we release still uses the internal lib crypto version
>> of NSS. Any one who builds PSM and NSS on their own should make sure
>> that they have the up to date version of NSS to make sure they
>> aren't vulnerable to the bug.
>
>
> The situation is that: There is a product (Beonex Communicator 0.6
> Linux <http://www.beonex.com>) released already, that incorporates the
> free PSM. So, it is important for me to know, in which way the buggy
> implementation affects users.
>
> Does the bug only appear, if I click "Obetain new..." in
> Certificates|Mine?
Whenever you generate a RSA public/private key, which at the high level
is whenever you get a new cert (as you suggest above). The issue is
rather insidious because the operation will appear to work correctly,
and you will get probably get what looks like a functioning RSA key, but
you will get a key that will likely be able to be factored easily. That
means that private key you generate would be easily compromised.
If the operation just failed it wouldn't have been as serious.
bob
