Source: classpath Version: <= 0.97.2 Severity: grave Tags: security Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for classpath.
CVE-2008-5659[0]:
| The gnu.java.security.util.PRNG class in GNU Classpath 0.97.2 and
| earlier uses a predictable seed based on the system time, which makes
| it easier for context-dependent attackers to conduct brute force
| attacks against cryptographic routines that use this class for
| randomness, as demonstrated against DSA private keys.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For a better description of this bug please have a look at:
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=38417
The affected code you can find in
classpath-0.97.2/gnu/java/security/util/PRNG.java
on the lines where ``System.currentTimeMillis();'' is used.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5659
http://security-tracker.debian.net/tracker/CVE-2008-5659
Kind regards,
Thomas.
signature.asc
Description: Digital signature
