Summary: | <dev-java/gnu-classpath-0.98-r1: gnu.java.security.util.PRNG produces easily predictable values (CVE-2008-5659) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | gnu_andrew, java |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://gcc.gnu.org/bugzilla/show_bug.cgi?id=38417 | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 296215 | ||
Bug Blocks: |
Description
Robert Buchholz (RETIRED)
2008-12-18 12:18:53 UTC
CVE-2008-5659 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5659): The gnu.java.security.util.PRNG class in GNU Classpath 0.97.2 and earlier uses a predictable seed based on the system time, which makes it easier for context-dependent attackers to conduct brute force attacks against cryptographic routines that use this class for randomness, as demonstrated against DSA private keys. This was fixed in 0.98, the only ebuild in tree is gnu-classpath-0.98-r3. Please proceed, thanks. Wow. Stabilization was completed 2+ years ago in bug 296215. GLSA vote: no. GLSA Vote: no too. Closing. |