| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 1 Jan 2014 04:36:52 -0800 From: coderman <coderman@...il.com> To: Full Disclosure <full-disclosure@...ts.grok.org.uk> Cc: debian-security-announce@...ts.debian.org Subject: Re: [SECURITY] [DSA 2833-1] openssl security update On Wed, Jan 1, 2014 at 4:09 AM, Moritz Muehlenhoff <jmm@...ian.org> wrote: > ... In addition this update [...] > no longer uses the RdRand feature available on some > Intel CPUs as a sole source of entropy unless explicitly requested. no CVE for the oops you were entirely dependent on RDRAND issue, predictable. no release from OpenSSL with fix either? ... hard to check right now, i think their site had some issues lately. *cough* no list of affected packages, who may have generated potentially week long-lived keys if a future leak or other incident identifies RDRAND as mass produced and distributed vulnerable to attacks against key space / DRBG output. i know we're all fucked six ways to sunday[0], but is that sufficient excuse to slack off or conveniently shy away? best regards, 0. "QFIRE Pilot Lead" http://cryptome.org/2013/12/nsa-qfire.pdf extrapolate QFIRE, BULLRUN, QUANTUM* to FY 2013 and it is hard not to feel a bit hopeless... ... must find a way to detao ourselves! _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists