Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator

To: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator
From: Nicolas Rachinsky <deb-security-1@ml.turing-complete.org>
Date: Tue, 13 May 2008 16:14:26 +0200
Message-id: <[🔎] 20080513141426.GA91840@mid.pc5.i.0x5.de>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <87od7az9v4.fsf@mid.deneb.enyo.de>
References: <87od7az9v4.fsf@mid.deneb.enyo.de>

* Florian Weimer <fw@deneb.enyo.de> [2008-05-13 14:06 +0200]:
> Luciano Bello discovered that the random number generator in Debian's
> openssl package is predictable.  This is caused by an incorrect
> Debian-specific change to the openssl package (CVE-2008-0166).  As a
> result, cryptographic key material may be guessable.

The diffs
http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/rand/md_rand.c?rev=141&view=diff&r1=141&r2=140&p1=openssl/trunk/rand/md_rand.c&p2=/openssl/trunk/rand/md_rand.c
and
http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/crypto/rand/md_rand.c?rev=300&view=diff&r1=300&r2=299&p1=openssl/trunk/crypto/rand/md_rand.c&p2=/openssl/trunk/crypto/rand/md_rand.c
(I got them from http://www.links.org/?p=327) suggest, that only half
of the problem was fixed. Is this correct?

Nicolas

Reply to:

Follow-Ups:
- Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator
  - From: Florian Weimer <fw@deneb.enyo.de>

Prev by Date: Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator
Next by Date: Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator
Previous by thread: Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator
Next by thread: Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator
Index(es):
- Date
- Thread