Hi,
two CVEs might be irrelevant for Debian systems. Can they be
tagged as "unaffected"? Or we have some systems, where
/dev/urandom is not existing?
Hi,
two CVEs might be irrelevant for Debian systems. Can they be
tagged as "unaffected"? Or we have some systems, where
/dev/urandom is not existing?
Thanks
Anton
Hi Anton, all
Well even if there are some systems affected I must say that if
someone have removed urandom the behavior described is expected. I
mean /dev/urandom is there for a reason. And yes there are better
functions than rand() but I can hardly see this as a vulnerability. Or
well it is, but it is the kind of vulnerability when you remove the
device that provide randomness in the system.
I would have marked them as "minor issue".
Cheers
// Ola
On Fri, 23 Jun 2023 at 06:49, Anton Gladky <gladk@debian.org> wrote:
Hi,
two CVEs might be irrelevant for Debian systems. Can they be
tagged as "unaffected"? Or we have some systems, where
/dev/urandom is not existing?
Thanks
Anton
--
--- Inguza Technology AB --- MSc in Information Technology ----
| ola@inguza.com opal@debian.org |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
---------------------------------------------------------------
Thank you all for your replies!
@Moritz, could you please create an issue with a
the possible proposal, how it should look like?
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 297 |
Nodes: | 16 (2 / 14) |
Uptime: | 06:51:53 |
Calls: | 6,666 |
Files: | 12,213 |
Messages: | 5,336,029 |