Bug 1327056 (CVE-2015-8851) - CVE-2015-8851 nodejs-node-uuid: insecure entropy source - Math.random()
Summary: CVE-2015-8851 nodejs-node-uuid: insecure entropy source - Math.random()
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-8851
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1327057 1327058 1327059 1333209
Blocks: 1322326
TreeView+ depends on / blocked
 
Reported: 2016-04-14 07:53 UTC by Andrej Nemec
Modified: 2021-02-17 04:03 UTC (History)
14 users (show)

Fixed In Version: nodejs-node-uuid 1.4.4
Clone Of:
Environment:
Last Closed: 2016-09-20 19:57:43 UTC
Embargoed:

Attachments (Terms of Use)

Description Andrej Nemec 2016-04-14 07:53:03 UTC 
node-uuid prior to 1.4.4 contained a bug that caused it to consistently
fall back to using Math.random() instead of a more cryptographically sound
source of entropy, the native crypto module.

External references:

https://nodesecurity.io/advisories/93

References:

http://seclists.org/oss-sec/2016/q2/70

Upstream fix:

https://github.com/broofa/node-uuid/commit/672f3834ed02c798aa021c618d0a5666c8da000d
Comment 1 Andrej Nemec 2016-04-14 07:53:50 UTC 
Created nodejs-node-uuid tracking bugs for this issue:

Affects: fedora-all [bug 1327057]
Affects: epel-6 [bug 1327058]
Affects: epel-7 [bug 1327059]
Comment 3 Kurt Seifried 2016-09-20 19:57:06 UTC 
This issue was addressed in:

OpenShift Enterprise 3.2.1

in RHBA-2016:1343
Note You need to log in before you can comment on or make changes to this bug.