Bug#559107: weaknesses in BSD PRNG algorithms
If I understand it correctly, this means that the fix is present in
kfreebsd-8, but not kfreebsd-7?
Not having it enabled by default seems good enough to me.
If I understand it correctly, the security problem is
"it allows remote attackers to guess sensitive values such as IP
fragmentation IDs by observing a sequence of previously generated values".
By default, the next_value is previous_value+1, i.e. unsecure at all.
It can be enabled to use random (secure) value, the random value is in
kfreebsd-7 generated by weak X2 algorithm, in kfreebsd-8 by "algorithm
suggested by Amit Klein".
So the options are:
1) leave it as is (same as native FreeBSD)
2) only backport new algorithm to kfreebsd-7
3) change default to use random algorithm in both kfreebsd-7 and kfreebsd-8
4) backport new algorithm to kfreebsd-7 and change default to use
random algorithm in both kfreebsd-7 and kfreebsd-8
What prefers the security team ?
Will Squeeze use kfreebsd-7 or -8 or both?
It is not yet decided, the kfreebsd-8 is really fresh.