It was found that pwgen had a heavy bias towards using numbers and uppercase letters when generating random passwords. Because of this, pwgen created passwords that were weaker and easier to guess than it should have. There seems to be a patch here saying it fixes most of the issues: http://marc.info/?l=oss-security&m=137049241132104&w=4 References: http://seclists.org/oss-sec/2013/q4/116 http://www.openwall.com/lists/oss-security/2012/01/17/12 http://marc.info/?l=oss-security&m=137049241132104&w=4
Created pwgen tracking bugs for this issue: Affects: fedora-all [bug 1020273] Affects: epel-all [bug 1020274]
It was found that if you generated 1 extremely long password (rather than a ton of passwords) and made a histogram, there would be no bias, hence this CVE is **REJECTED**. Reference: http://seclists.org/oss-sec/2013/q4/162