Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 18 Feb 2015 10:33:59 +0400
From: Loganaden Velvindron <loganaden@...il.com>
To: oss-security@...ts.openwall.com
Cc: Assign a CVE Identifier <cve-assign@...re.org>, security@...ebsd.org
Subject: Re: FreeBSD: URGENT: RNG broken for last 4 months

On Wed, Feb 18, 2015 at 10:22 AM, Kurt Seifried <kseifried@...hat.com> wrote:
> https://lists.freebsd.org/pipermail/freebsd-current/2015-February/054580.html
>

Hi Kurt,

>From the follow-up mails it seems to affect FreeBSD-current only.
(See: https://lists.freebsd.org/pipermail/freebsd-current/2015-February/054581.html)




> If you are running a current kernel r273872 or later, please upgrade
> your kernel to r278907 or later immediately and regenerate keys.
>
> I discovered an issue where the new framework code was not calling
> randomdev_init_reader, which means that read_random(9) was not returning
> good random data.  read_random(9) is used by arc4random(9) which is
> the primary method that arc4random(3) is seeded from.
>
> This means most/all keys generated may be predictable and must be
> regenerated.  This includes, but not limited to, ssh keys and keys
> generated by openssl.  This is purely a kernel issue, and a simple
> kernel upgrade w/ the patch is sufficient to fix the issue.
>
> --
>   John-Mark Gurney                              Voice: +1 415 225 5579
>
>      "All that I will do, has been done, All that I have, has not."
>
> =======
>
> I assume this needs a CVE, I know technically it didn't involve a
> release but quite a few people run -current (and it's a 4 month affected
> window), so if we're assigning CVE's to stuff hosted in github, then it
> seems fair that this should get one.
>
> --
> Kurt Seifried -- Red Hat -- Product Security -- Cloud
> PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
>



-- 
This message is strictly personal and the opinions expressed do not
represent those of my employers, either past or present.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ