oss-sec mailing list archives
Re: CVE Request -- perl-Crypt-DSA -- Cryptographically insecure method used for random numbers generation on systems without /dev/random
From: Josh Bressers <bressers () redhat com>
Date: Wed, 05 Oct 2011 15:23:53 -0400 (EDT)
Please use CVE-2011-3599 for this. Thanks. -- JB ----- Original Message -----
Hello Josh, Steve, vendors, it has been reported that Crypt::DSA, a Perl module for DSA signatures and key generation, used cryptographically weak / insecure method for random numbers generation on systems, where /dev/random file was not present. Due this flaw an attacker could be able to discover some portions of / whole secret DSA key, which has been created on such system. References: [1] http://secunia.com/advisories/46275/ [2] https://rt.cpan.org/Public/Bug/Display.html?id=71421 [3] https://bugzilla.redhat.com/show_bug.cgi?id=743567 Proposed upstream patch is to remove the affected fallback code part: [4] https://rt.cpan.org/Public/Bug/Display.html?id=71421#txn-984052 (though not approved yet) Could you allocate a CVE id for this? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Current thread:
- CVE Request -- perl-Crypt-DSA -- Cryptographically insecure method used for random numbers generation on systems without /dev/random Jan Lieskovsky (Oct 05)
- Re: CVE Request -- perl-Crypt-DSA -- Cryptographically insecure method used for random numbers generation on systems without /dev/random Josh Bressers (Oct 05)