[Pkg-nagios-devel] Bug#660585: [Secure-testing-team] Bug#660585: nagios-nrpe-server: again use secure RNG
Nico Golde
nion at debian.org
Mon Feb 20 14:52:59 UTC 2012
Hi,
* Christoph Anton Mitterer <calestyo at scientia.net> [2012-02-20 13:13]:
> On Mon, 2012-02-20 at 11:58 +0100, Nico Golde wrote:
> > I'm not sure if I can agree with you here. The fact that before the patch the
> > code was using urandom doesn't necessarily make it more secure. Actually
> > looking at the patch, the code was using a one character seed (0..255) as a
> > random seed before. Please see
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=333552
>
> Well...
> a) SSL is broken in NRPE anyway... so I rather consider this at the
> moment a "conceptual" issue than a technical.
>
> b) I doubt that a (probably predictable - that may be even a multi-user
> system) number made out of PID/PPID/date is more secure than a (for the
> real world) quite secure /dev/urandom .
I'm not arguing with you about what is more secure and what not. Fact is both
solutions are not secure from a crypto perspective and there was a reason
(which I can't judge in practice) to change the behaviour. Comparing this to
the "openssl debacle" is ridiculous if you ask me and will likely piss people
off.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-nagios-devel/attachments/20120220/1803c752/attachment.pgp>
More information about the Pkg-nagios-devel
mailing list