From ${URL} : CVE-2013-4440 pwgen non-tty passwords are trivially weak by default CVE-2013-4441 pwgen Phonemes mode has heavy bias and is enabled by default CVE-2013-4442 pwgen Silent fallback to insecure entropy CVE-2013-4443 pwgen Secure mode has bias towards numbers and uppercase letters @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Adjust CVEs list in summary, CVE-2013-4443 was rejected[1] [1] - http://seclists.org/oss-sec/2013/q4/162
arches please stable.
Arches, please test and mark stable: =app-admin/pwgen-2.07 Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Stable for HPPA.
amd64 stable
x86 stable
ppc stable
ppc64 stable
ia64 stable
Stable on alpha.
sparc stable. Maintainer(s), please cleanup. Security, please vote.
+ 01 Dec 2014; Justin Lecher <jlec@gentoo.org> -pwgen-2.06-r1.ebuild: + Drop old vulnerable versions, #488300 +
CVE-2013-4442 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4442): Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers. CVE-2013-4440 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4440): Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.
GLSA vote: no.
GLSA Vote: No