Date: Wed, 18 Feb 2015 10:33:59 +0400 From: Loganaden Velvindron <loganaden@...il.com> To: oss-security@...ts.openwall.com Cc: Assign a CVE Identifier <cve-assign@...re.org>, security@...ebsd.org Subject: Re: FreeBSD: URGENT: RNG broken for last 4 months On Wed, Feb 18, 2015 at 10:22 AM, Kurt Seifried <kseifried@...hat.com> wrote: > https://lists.freebsd.org/pipermail/freebsd-current/2015-February/054580.html > Hi Kurt, >From the follow-up mails it seems to affect FreeBSD-current only. (See: https://lists.freebsd.org/pipermail/freebsd-current/2015-February/054581.html) > If you are running a current kernel r273872 or later, please upgrade > your kernel to r278907 or later immediately and regenerate keys. > > I discovered an issue where the new framework code was not calling > randomdev_init_reader, which means that read_random(9) was not returning > good random data. read_random(9) is used by arc4random(9) which is > the primary method that arc4random(3) is seeded from. > > This means most/all keys generated may be predictable and must be > regenerated. This includes, but not limited to, ssh keys and keys > generated by openssl. This is purely a kernel issue, and a simple > kernel upgrade w/ the patch is sufficient to fix the issue. > > -- > John-Mark Gurney Voice: +1 415 225 5579 > > "All that I will do, has been done, All that I have, has not." > > ======= > > I assume this needs a CVE, I know technically it didn't involve a > release but quite a few people run -current (and it's a 4 month affected > window), so if we're assigning CVE's to stuff hosted in github, then it > seems fair that this should get one. > > -- > Kurt Seifried -- Red Hat -- Product Security -- Cloud > PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 > -- This message is strictly personal and the opinions expressed do not represent those of my employers, either past or present.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ