I'm currently writing a book targetted to developers and I'm wondering how much I should write about RSA.
There are two cryptographic primitives (types of algorithm) exposed by RSA:
The signature algorithm has two adopted standards usually named RSA PKCS#1v1.5 and RSA-PSS. The latter one is more recent and provides a proof of security but everyone still use the former. The former hasn't been broken and is still pretty solid. Most internet certificates are signed using RSA PKCS#1v1.5 I believe.
The encryption algorithm is the problem (also used to perform key exchanges). It also has two adopted standards usually called RSA PKCS#1v1.5 (same name as the signature scheme I know...) and OAEP. OAEP is more recent and quite secure, but nobody seems to use it. Instead the former is still largely used in applications, and is often the default algorithm you use when you write RSA in many cryptographic libraries. Unfortunately it has been broken by Bleichenbacher in 1998 and it is practical to attack it. There's been many attempts to "fix" it and they have been repeatidly broken as well. So don't expect the library you use to implement it correctly.
FYI, RSA PKCS#1v1.5 signatures can be broken due to trivial implementation errors. 
From a cursory glance, all of these implementations are in C it seems like a C systemic issue, not an issue with RSA.
But I might be wrong because I've yet to read the paper.
(But again, haven't read the paper, also don't remember how bb signature forgery works)
(I'll read the paper but right now I'm in Hawaii doing snorkeling)
The bug is straightforward: RSA implementations don't verify all the bits in the padding, but rather "parse" it to find the digest, and then verify that. But there are, of course, bajillions of potential padded signature block representations that contain any given digest, since the block is so much bigger than the digest. For e=3, and for particularly naive implementations (like Firefox's, at the time) you can almost literally just formulate the signature block you want, then take its cube root to forge a signature.
Sorry to disapoint I did not do all the cryptopals :P filippo actually has a good blogpost on that attack IIRC.
(There are some set-7 problems I haven't done yet, for whatever that's worth. But e=3 sigs are a big one!)