Bug#559789: libgnucrypto-java: CVE-2008-5659 predictable random number generator
Michael Gilbert
michael.s.gilbert at gmail.com
Mon Dec 7 03:33:43 UTC 2009
Package: libgnucrypto-java
Version: 2.1.0-2
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for classpath. libgnucrypto-java embeds classpath, so it is
also affected.
CVE-2008-5659[0]:
| The gnu.java.security.util.PRNG class in GNU Classpath 0.97.2 and
| earlier uses a predictable seed based on the system time, which makes
| it easier for context-dependent attackers to conduct brute force
| attacks against cryptographic routines that use this class for
| randomness, as demonstrated against DSA private keys.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5659
http://security-tracker.debian.org/tracker/CVE-2008-5659
More information about the pkg-java-maintainers
mailing list