Bug#512532: CVE-2008-5659: The gnu.java.security.util.PRNG class in GNU Classpath 0.97.2 and ...
thomasbl at pool.math.tu-berlin.de
Wed Jan 21 14:05:50 UTC 2009
Version: <= 0.97.2
the following CVE (Common Vulnerabilities & Exposures) id was
published for classpath.
| The gnu.java.security.util.PRNG class in GNU Classpath 0.97.2 and
| earlier uses a predictable seed based on the system time, which makes
| it easier for context-dependent attackers to conduct brute force
| attacks against cryptographic routines that use this class for
| randomness, as demonstrated against DSA private keys.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For a better description of this bug please have a look at:
The affected code you can find in classpath-0.97.2/gnu/java/security/util/PRNG.java
on the lines where ``System.currentTimeMillis();'' is used.
For further information see:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 197 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20090121/7e8adc1f/attachment.pgp
More information about the pkg-java-maintainers