Date: Fri, 31 Jul 2015 14:47:51 +0200 From: Adam Maris <amaris@...hat.com> To: oss-security@...ts.openwall.com Subject: CVE for crypto_get_random() from libsrtp Hello, I've got question whether this bug (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793971) is CVE-worthy? Could it be classified as CWE-330: Use of Insufficiently Random Values? According to the SRTP documentation (http://srtp.sourcearchive.com/documentation/1.4.2.dfsg/group__SRTP_g1d4c228c6a58096dfab3cefbabd66f17.html), it provides 80 bits of random data, which is quite a borderline. Thanks. -- Adam Maris / Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ