Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator
* Florian Weimer <fw@deneb.enyo.de> [2008-05-13 14:06 +0200]:
> Luciano Bello discovered that the random number generator in Debian's
> openssl package is predictable. This is caused by an incorrect
> Debian-specific change to the openssl package (CVE-2008-0166). As a
> result, cryptographic key material may be guessable.
The diffs
http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/rand/md_rand.c?rev=141&view=diff&r1=141&r2=140&p1=openssl/trunk/rand/md_rand.c&p2=/openssl/trunk/rand/md_rand.c
and
http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/crypto/rand/md_rand.c?rev=300&view=diff&r1=300&r2=299&p1=openssl/trunk/crypto/rand/md_rand.c&p2=/openssl/trunk/crypto/rand/md_rand.c
(I got them from http://www.links.org/?p=327) suggest, that only half
of the problem was fixed. Is this correct?
Nicolas
Reply to: