Bug 743567 (CVE-2011-3599)
Summary: | CVE-2011-3599 perl-Crypt-DSA: Cryptographically insecure method used for random numbers generation on systems without /dev/random | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | paul, perl-devel, ppisar |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | perl-Crypt-DSA-1.17-10.*, perl-Crypt-DSA-0.14-8.el5 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-09-19 19:41:45 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jan Lieskovsky
2011-10-05 12:00:01 UTC
CVE Request: [4] http://www.openwall.com/lists/oss-security/2011/10/05/5 This issue affects the versions of the perl-Crypt-DSA package, as shipped with Fedora release of 14, 15, and as shipped within EPEL-4, EPEL-5 and EPEL-6 repositories. Under 'affects' I mean that the relevant code part / fallback is present in the code. Though obviously on Fedora and EPEL systems, the safer /dev/random code branch would be used for DSA key generation. Thus this deficiency would not show and I will leave the decision to the perl-Crypt-DSA module developers, if it's worthy to schedule new Fedora / EPEL updates or not. Given that no Fedora/EPEL system is actually going to be impacted by this, I'm inclined to wait until there's a new upstream release before "fixing" it. The CVE identifier of CVE-2011-3599 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2011/10/05/9 Does SELinux policy deny access to /dev/random in some cases? If yes, then such process would be affected. I can imagine an administrator will confine a third-party application by assigning a dedicated label to increase security. Because default policy is to deny, the DSA generation will get doomed. You're right. I'll look at doing an update later today. perl-Crypt-DSA-1.17-10.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. perl-Crypt-DSA-1.17-10.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. perl-Crypt-DSA-0.14-8.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. perl-Crypt-DSA-1.17-10.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. This is now fixed in all current Fedora and EPEL releases. |