Bug#512532: CVE-2008-5659: The gnu.java.security.util.PRNG class in GNU Classpath 0.97.2 and ...

Thomas Bläsing thomasbl at pool.math.tu-berlin.de
Wed Jan 21 14:05:50 UTC 2009


Source: classpath
Version: <= 0.97.2
Severity: grave
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for classpath.

CVE-2008-5659[0]:
| The gnu.java.security.util.PRNG class in GNU Classpath 0.97.2 and
| earlier uses a predictable seed based on the system time, which makes
| it easier for context-dependent attackers to conduct brute force
| attacks against cryptographic routines that use this class for
| randomness, as demonstrated against DSA private keys.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For a better description of this bug please have a look at:
	http://gcc.gnu.org/bugzilla/show_bug.cgi?id=38417

The affected code you can find in classpath-0.97.2/gnu/java/security/util/PRNG.java
on the lines where ``System.currentTimeMillis();'' is used.

For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5659
    http://security-tracker.debian.net/tracker/CVE-2008-5659

Kind regards,
Thomas.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20090121/7e8adc1f/attachment.pgp 


More information about the pkg-java-maintainers mailing list