Geoff Cant reported that the Erlang/OTP SSH library's random number generator relied on predictable seed information. A remote attacker could use this flaw to recover SSH session keys or DSA host keys. References: [1] http://www.kb.cert.org/vuls/id/178990 [2] http://www.erlang.org/download.html [3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628456 [4] http://www.erlang.org/ [5] http://www.erlang.org/download.html Upstream patch: [6] https://github.com/erlang/otp/commit/f228601de45c5b53241b103af6616453c50885a5
This issue affects the versions of the erlang package, as shipped with Fedora release of 13, 14, and 15. This issue affects the version of the erlang package, as present within EPEL-6 repository. Note: EPEL-4 and EPEL-5 erlang versions are affected too, but those are too old and assuming there will be no willingness to update / rebase those.
Created erlang tracking bugs for this issue Affects: fedora-all [bug 709024] Affects: epel-all [bug 709026]
This issue has been addressed by the following releases: 1) erlang-R14B-03.1.fc14 for F-14, 2) erlang-R14B-03.2.fc15 for F-15, 3) erlang-R14B-03.3.el6 for EPEL-6.