Date: Wed, 16 Jul 2014 11:13:44 +0200 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com Subject: CVE request: libressl before 2.0.2 under linux PRNG failure Hi, This has made the news lately: https://www.agwa.name/blog/post/libressls_prng_is_unsafe_on_linux Should get a CVE. Affected is portable libressl 2.0.0 and 2.0.1 on Linux. 2.0.2 has been released: https://marc.info/?l=openbsd-tech&m=140548206911600&w=2 Under certain conditions forking a process can create repeated random numbers. LibreSSL 2.0.2 contains a workaround, although the reporter of this issue thinks this may not be the best approach. Please assign CVE. cu, -- Hanno Böck - freier Journalist https://hboeck.de/ E-Mail/Jabber: hanno@...eck.de PGP-Key: BBB51E42 Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ