Description: Javier Fernandez-Sanguino Pena has reported a vulnerability in the Net::SSLeay module for Perl, which can be exploited by malicious, local users to weaken certain cryptographic operations. The vulnerability is caused due an error where the entropy source is improperly taken from a temporary file if the "EGD_PATH" environment variable is not defined. This can be exploited to weaken certain cryptographic operations via a "/tmp/entropy" file with known contents. Solution: Set the "EGD_PATH" environment variable. Provided and/or discovered by: Javier Fernandez-Sanguino Pena Original Advisory: http://www.ubuntulinux.org/support/documentation/usn/usn-113-1
Haven't we already discussed this one - and it was moot because we don't use/provide egd?
Old comment from mcummings: "No such beast in our tree (EGD that is) - it's a perl implementation to mimic /dev/random for systems that don't have one (http://egd.sourceforge.net/) - but since in Gentoo land we all have one (and those ports of portage folks - mac and bsd - haven't said anything if they don't) it hasn't/isn't an issue. I'd say this is nice, but not applicable." So I'm closing this as INVALID. If anyone disagree please feel to reopen.
