[nsp-sec] Debian to disclose critical bug on Tuesday
Florian Weimer
fweimer at bfk.de
Mon May 12 10:05:39 EDT 2008
* Paul Goyette:
> Hmmm, NetBSD issued an advisory on this last week. It
> seems there's an issue in the Montgomery multiply code
> and was previously discussed as CVE-2007-3108, and is
> fixed in OpenSSL 0.9.8g.
>
> Wondering if this Debian thing is the same one.
No, ours is completely different in cause and impact. It's been
assigned CVE-2008-0166.
Note that this is not some theoretical weakness (like many other PRNG
bugs), it's something that actually allows you to enumerate the
complete list of all keys certain programs (such as ssh-keygen) will
ever generate. Actually, is pretty similar to that old PGP 5 random
number generator bug.
--
Florian Weimer <fweimer at bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
More information about the nsp-security
mailing list