Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <84Zg5p5I5P02YkgI@aceecat.org>
Date: Thu, 21 May 2026 13:21:42 -0700
From: nightmare.yeah27@...ecat.org
To: oss-security@...ts.openwall.com
Subject: Re: Fixed: local root exploit in haveged, fixed in 1.9.21,
 CVE-2026-41054

On Tue, May 19, 2026 at 03:16:00PM +0200, Hanno Böck wrote:

> You can also fix this by uninstalling it.

> There's no need to have an "entropy daemon"... It adds needless
> complexity and, as this issue shows, attack surface. There have been
> many improvements in the Linux kernel's RNG (Jason Donenfeld, also
> known as the Wireguard developer, did a lot of work on that) and I
> am quite confident that there are no problems with the RNG on any
> reasonably recent Linux kernel that an "entropy daemon" would help
> with.

Wasn't most of the problem on VPSes, where hardware reads are
simulated by the host and thus to some degree predictable? AFAIR that
was the primary target of haveged. And that's why places like hetzner
still include it in their default cloud-init setup, according to my
experience :-(

-- 
Ian

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.