Bug#512532: CVE-2008-5659: The gnu.java.security.util.PRNG class in GNU Classpath 0.97.2 and ...
Thomas Bläsing
thomasbl at pool.math.tu-berlin.de
Wed Jan 21 14:05:50 UTC 2009
Source: classpath
Version: <= 0.97.2
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for classpath.
CVE-2008-5659[0]:
| The gnu.java.security.util.PRNG class in GNU Classpath 0.97.2 and
| earlier uses a predictable seed based on the system time, which makes
| it easier for context-dependent attackers to conduct brute force
| attacks against cryptographic routines that use this class for
| randomness, as demonstrated against DSA private keys.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For a better description of this bug please have a look at:
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=38417
The affected code you can find in classpath-0.97.2/gnu/java/security/util/PRNG.java
on the lines where ``System.currentTimeMillis();'' is used.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5659
http://security-tracker.debian.net/tracker/CVE-2008-5659
Kind regards,
Thomas.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20090121/7e8adc1f/attachment.pgp
More information about the pkg-java-maintainers
mailing list