Re: OSVDB 72183

To: Debian-security-tracker <debian-security-tracker@lists.debian.org>
Cc: Karl Schmidt <karl@xtronics.com>
Subject: Re: OSVDB 72183
From: Michael Gilbert <mgilbert@debian.org>
Date: Wed, 10 Apr 2013 12:04:10 -0400
Message-id: <[🔎] CANTw=MNZW3Z7pbaGWMzVSNbQpNajJNJvUokfkbs1vSk-paZPug@mail.gmail.com>
In-reply-to: <[🔎] 1365531794.19973.6.camel@jacala.jungle.funky-badger.org>
References: <[🔎] 51645854.4030205@xtronics.com> <[🔎] 1365531794.19973.6.camel@jacala.jungle.funky-badger.org>

On Tue, Apr 9, 2013 at 2:23 PM, Adam D. Barratt wrote:
> On Tue, 2013-04-09 at 13:05 -0500, Karl Schmidt wrote:
>> I'm getting flagged for http://osvdb.org/72183 On Debian Stable - can't find where this has been
>> addressed?
>
> "Flagged" by what? Following the links from that URL leads to
> http://www.openssh.com/txt/portable-keysign-rand-helper.adv , which
> quite clearly says:
>
>         2. Affected configurations
>
>         Portable OpenSSH prior to version 5.8p2 only on platforms
>         that are configured to use ssh-rand-helper for entropy
>         collection.
> [...]
>         Platforms that support /dev/random or otherwise
>         configure OpenSSL with a random number provider are not
>         vulnerable.
>
>         In particular, *BSD, OS X, Cygwin and Linux are not
>         affected.

Which is also informatively stated in the security tracker:
https://security-tracker.debian.org/tracker/CVE-2011-4327

The companies that do this kind of of analysis really need to get
their act together.  If you're paying them for this service, you
should really question whether you're getting any value.

Best wishes,
Mike

Reply to:

Follow-Ups:
- Re: OSVDB 72183
  - From: Karl Schmidt <karl@xtronics.com>

References:
- OSVDB 72183
  - From: Karl Schmidt <karl@xtronics.com>
- Re: OSVDB 72183
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Re: OSVDB 72183
Next by Date: Re: OSVDB 72183
Previous by thread: Re: OSVDB 72183
Next by thread: Re: OSVDB 72183
Index(es):
- Date
- Thread