![]() |
|
Date: Wed, 16 Jul 2014 11:13:44 +0200
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: CVE request: libressl before 2.0.2 under linux PRNG failure
Hi,
This has made the news lately:
https://www.agwa.name/blog/post/libressls_prng_is_unsafe_on_linux
Should get a CVE. Affected is portable libressl 2.0.0 and 2.0.1 on
Linux. 2.0.2 has been released:
https://marc.info/?l=openbsd-tech&m=140548206911600&w=2
Under certain conditions forking a process can create repeated random
numbers.
LibreSSL 2.0.2 contains a workaround, although the reporter of this
issue thinks this may not be the best approach.
Please assign CVE.
cu,
--
Hanno Böck - freier Journalist https://hboeck.de/
E-Mail/Jabber: hanno@...eck.de PGP-Key: BBB51E42
Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.