Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1327056 - (CVE-2015-8851) CVE-2015-8851 nodejs-node-uuid: insecure entropy source - Math.random()
CVE-2015-8851 nodejs-node-uuid: insecure entropy source - Math.random()
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20160330,repor...
: Security
Depends On: 1327058 1327059 1327057 1333209
Blocks: 1322326
  Show dependency treegraph
 
Reported: 2016-04-14 03:53 EDT by Andrej Nemec
Modified: 2016-09-20 20:26 EDT (History)
15 users (show)

See Also:
Fixed In Version: nodejs-node-uuid 1.4.4
Doc Type: Bug Fix
Doc Text:
It was found that NodeJS node-uuid used Math.random() to create a GUID (Globally Unique Identifier) which does not provide enough entropy (on some platforms it only provides 32 bits) which can result in collisions of GUIDs. An attacker could use this to guess GUID values and leverage further attacks against a system using node-uuid.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-09-20 15:57:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Andrej Nemec 2016-04-14 03:53:03 EDT 
node-uuid prior to 1.4.4 contained a bug that caused it to consistently
fall back to using Math.random() instead of a more cryptographically sound
source of entropy, the native crypto module.

External references:

https://nodesecurity.io/advisories/93

References:

http://seclists.org/oss-sec/2016/q2/70

Upstream fix:

https://github.com/broofa/node-uuid/commit/672f3834ed02c798aa021c618d0a5666c8da000d
Comment 1 Andrej Nemec 2016-04-14 03:53:50 EDT 
Created nodejs-node-uuid tracking bugs for this issue:

Affects: fedora-all [bug 1327057]
Affects: epel-6 [bug 1327058]
Affects: epel-7 [bug 1327059]
Comment 3 Kurt Seifried 2016-09-20 15:57:06 EDT 
This issue was addressed in:

OpenShift Enterprise 3.2.1

in RHBA-2016:1343
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.