Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 16 Jul 2014 11:13:44 +0200
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: CVE request: libressl before 2.0.2 under linux PRNG failure

Hi,

This has made the news lately:
https://www.agwa.name/blog/post/libressls_prng_is_unsafe_on_linux

Should get a CVE. Affected is portable libressl 2.0.0 and 2.0.1 on
Linux. 2.0.2 has been released:
https://marc.info/?l=openbsd-tech&m=140548206911600&w=2

Under certain conditions forking a process can create repeated random
numbers.

LibreSSL 2.0.2 contains a workaround, although the reporter of this
issue thinks this may not be the best approach.

Please assign CVE.

cu,
-- 
Hanno Böck - freier Journalist		https://hboeck.de/
E-Mail/Jabber: hanno@...eck.de		PGP-Key: BBB51E42

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ