Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator
* Nicolas Rachinsky:
> The diffs
> http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/rand/md_rand.c?rev=141&view=diff&r1=141&r2=140&p1=openssl/trunk/rand/md_rand.c&p2=/openssl/trunk/rand/md_rand.c
> and
> http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/crypto/rand/md_rand.c?rev=300&view=diff&r1=300&r2=299&p1=openssl/trunk/crypto/rand/md_rand.c&p2=/openssl/trunk/crypto/rand/md_rand.c
> (I got them from http://www.links.org/?p=327) suggest, that only half
> of the problem was fixed. Is this correct?
No, the other hunk is benign. It mixes data from the target buffer of
RAND_bytes into the pool, and this is completely optional (because it's
not guaranteed that this data is random anyway).
Reply to: