Summary: | <net-misc/tor-0.2.4.20: improper random number generation on certain Intel platforms with OpenSSL 1. (CVE-2013-7295) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | blueness |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1055014 | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-01-21 09:40:39 UTC
(In reply to Agostino Sarubbo from comment #0) > > > @maintainer(s): since the fixed package is already in the tree, please let > us know if it is ready for the stabilization or not. It is ready: KEYWORDS="amd64 arm ppc ppc64 sparc x86" amd64 stable x86 stable CVE-2013-7295 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7295): Tor before 0.2.4.20, when OpenSSL 1.x is used in conjunction with a certain HardwareAccel setting on Intel Sandy Bridge and Ivy Bridge platforms, does not properly generate random numbers for (1) relay identity keys and (2) hidden-service identity keys, which might make it easier for remote attackers to bypass cryptographic protection mechanisms via unspecified vectors. arm stable ppc64 stable sparc stable ppc stable. Maintainer(s), please cleanup. Security, please vote. (In reply to Agostino Sarubbo from comment #8) > ppc stable. > > Maintainer(s), please cleanup. > Security, please vote. Done. Thanks for your work GLSA vote: no GLSA vote: no. Closing as [noglsa] |