1422009 – nodejs-ws: Use of cryptographically insecure Math.random

Bug 1422009 - nodejs-ws: Use of cryptographically insecure Math.random

Summary: nodejs-ws: Use of cryptographically insecure Math.random

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1422010 1422011 1422012
Blocks:
TreeView+	depends on / blocked

Reported:	2017-02-14 10:11 UTC by Andrej Nemec
Modified:	2019-09-29 14:07 UTC (History)
CC List:	4 users (show)
Fixed In Version:	nodejs-ws 1.1.2, nodejs-ws 2.0.0
Clone Of:
Environment:
Last Closed:	2019-06-08 03:07:37 UTC
Embargoed:

Attachments	(Terms of Use)

Description Andrej Nemec 2017-02-14 10:11:05 UTC

A vulnerability was found in the nodejs ws package. 

Affected versions of the package use the cryptographically insecure Math.random which can produce predictable values and should not be used in security-sensitive context.

References:

https://snyk.io/vuln/npm:ws:20160920
https://medium.com/@betable/tifu-by-using-math-random-f1c308c4fd9d#.t00x80pbh

Upstream bug:

https://github.com/websockets/ws/pull/832

Upstream patch:

https://github.com/websockets/ws/commit/7253f06f5432c76f3e82e2c055fcea08b612d8b2

Comment 1 Andrej Nemec 2017-02-14 10:12:05 UTC

Created nodejs-ws tracking bugs for this issue:

Affects: epel-6 [bug 1422010]
Affects: epel-7 [bug 1422011]
Affects: fedora-all [bug 1422012]

Note You need to log in before you can comment on or make changes to this bug.