Bug 104649

Summary: CAN-2003-0692 xdm weak session cookie generation
Product: Red Hat Enterprise Linux 2.1 Reporter: Mark J. Cox <mjc>
Component: XFree86Assignee: Mike A. Harris <mharris>
Status: CLOSED ERRATA QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: 2.1Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-12-19 13:25:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mark J. Cox 2003-09-18 13:31:23 UTC 
xdm uses a weak session cookie generation
algorithm that does not provide 128 bits of entropy, which
allows attackers to guess session cookies via brute force
methods and gain access to the user session.
Comment 1 Mark J. Cox 2003-10-23 13:18:04 UTC 
Update currently being tested
Comment 2 Mark J. Cox 2003-12-19 13:25:23 UTC 
See latest XFree86 update, RHSA-2003:289