Bug#559107: weaknesses in BSD PRNG algorithms
severity 559107 normal
On Thu, Dec 03, 2009 at 02:01:06PM +0100, Petr Salinger wrote:
> severity 559107 important
> >But the status of CVE-2008-114 is still open. Do they affect the
> >KFreeBSD port? What's the position of the FreeBSD kernel developers on
> >these issues?
> I used as description this
> The GNU/kFreeBSD (kfreebsd-?) is not affected by CVE-2008-1146 and CVE-2008-1148 at all.
Thanks, fixed in the Debian Security Tracker.
> For CVE-2008-1147 holds:
> Exploitations of the predictability of the IP fragmentation ID were made
> public almost a decade ago.
> NetBSD, FreeBSD and DragonFlyBSD do not randomize IP fragmentation ID
> field at all by default, and provide a kernel flag
> (net.inet.ip.random_id) that enables randomization through the weak algorithm.
> The weak algorithm have been replaced by upstream commit (Feb 6 2008)
> Replace the random IP ID generation code we
> obtained from OpenBSD with an algorithm suggested
> by Amit Klein. The OpenBSD algorithm has a few
> flaws; see Amit's paper for more information.
> For a description of how this algorithm works,
> please see the comments within the code.
> Note that this commit does not yet enable random IP ID
> generation by default. There are still some concerns
> that doing so will adversely affect performance.
> This commit have not been MFC-ed to STABLE-7.
> The default value for net.inet.ip.random_id is 0 even in HEAD,
> The FreeBSD developers/security_team did publish no "security
> advisory", no "errata notice", they did not include it in next
> release (7.1 - January 2009).
If I understand it correctly, this means that the fix is present in
kfreebsd-8, but not kfreebsd-7? Not having it enabled by default seems
good enough to me.
Will Squeeze use kfreebsd-7 or -8 or both?