rpms / perl-Crypt-DSA

Clone
Source Code
GIT

aadaaac CVE-2011-3599

Authored and Committed by pghmcfc 10 years ago
raw patch tree parent
2 files changed. 30 lines added. 2 lines removed.
perl-Crypt-DSA.spec
file modified
+11 -2
remove-fallback.patch
file added
+19 
    CVE-2011-3599
    
    As taught by the '09 Debian PGP disaster relating to DSA, the randomness
    source is extremely important. On systems without /dev/random, Crypt::DSA
    falls back to using Data::Random. Data::Random uses rand(), about which
    the perldoc says "rand() is not cryptographically secure. You should not
    rely on it in security-sensitive situations." In the case of DSA, this is
    even worse. Using improperly secure randomness sources can compromise the
    signing key upon signature of a message.
    
    See: http://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-value/
    
    It might seem that this would not affect Fedora since /dev/random is always
    available and so the fall back to Data::Random would never happen. However,
    if an application is confined using a MAC system such as SELinux then
    access to /dev/random could be denied by policy and the fall back would be
    triggered.
file modified
+11 -2
file added
+19
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.