Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator

To: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator
From: Florian Weimer <fw@deneb.enyo.de>
Date: Tue, 13 May 2008 16:27:32 +0200
Message-id: <[🔎] 87prrqth2j.fsf@mid.deneb.enyo.de>
In-reply-to: <[🔎] 20080513141426.GA91840@mid.pc5.i.0x5.de> (Nicolas Rachinsky's message of "Tue, 13 May 2008 16:14:26 +0200")
References: <87od7az9v4.fsf@mid.deneb.enyo.de> <[🔎] 20080513141426.GA91840@mid.pc5.i.0x5.de>

* Nicolas Rachinsky:

> The diffs
> http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/rand/md_rand.c?rev=141&view=diff&r1=141&r2=140&p1=openssl/trunk/rand/md_rand.c&p2=/openssl/trunk/rand/md_rand.c
> and
> http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/crypto/rand/md_rand.c?rev=300&view=diff&r1=300&r2=299&p1=openssl/trunk/crypto/rand/md_rand.c&p2=/openssl/trunk/crypto/rand/md_rand.c
> (I got them from http://www.links.org/?p=327) suggest, that only half
> of the problem was fixed. Is this correct?

No, the other hunk is benign.  It mixes data from the target buffer of
RAND_bytes into the pool, and this is completely optional (because it's
not guaranteed that this data is random anyway).

Reply to:

References:
- Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator
  - From: Nicolas Rachinsky <deb-security-1@ml.turing-complete.org>

Prev by Date: Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator
Next by Date: Re: Broken link on Debian CVE Web page (Was: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator
Previous by thread: Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator
Next by thread: Broken link on Debian CVE Web page (Was: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator
Index(es):
- Date
- Thread