Re: FreeBSD: URGENT: RNG broken for last 4 months

[Loganaden Velvindron <loganaden () gmail com>]

On Wed, Feb 18, 2015 at 10:22 AM, Kurt Seifried <kseifried () redhat com> wrote:
> https://lists.freebsd.org/pipermail/freebsd-current/2015-February/054580.html

Hi Kurt,

> From the follow-up mails it seems to affect FreeBSD-current only.
(See: https://lists.freebsd.org/pipermail/freebsd-current/2015-February/054581.html)




> If you are running a current kernel r273872 or later, please upgrade
> your kernel to r278907 or later immediately and regenerate keys.
>
> I discovered an issue where the new framework code was not calling
> randomdev_init_reader, which means that read_random(9) was not returning
> good random data.  read_random(9) is used by arc4random(9) which is
> the primary method that arc4random(3) is seeded from.
>
> This means most/all keys generated may be predictable and must be
> regenerated.  This includes, but not limited to, ssh keys and keys
> generated by openssl.  This is purely a kernel issue, and a simple
> kernel upgrade w/ the patch is sufficient to fix the issue.
>
> --
>   John-Mark Gurney                              Voice: +1 415 225 5579
>
>      "All that I will do, has been done, All that I have, has not."
>
> =======
>
> I assume this needs a CVE, I know technically it didn't involve a
> release but quite a few people run -current (and it's a 4 month affected
> window), so if we're assigning CVE's to stuff hosted in github, then it
> seems fair that this should get one.
>
> --
> Kurt Seifried -- Red Hat -- Product Security -- Cloud
> PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993



-- 
This message is strictly personal and the opinions expressed do not
represent those of my employers, either past or present.