Package: openssl
Version: 1.0.1f-1
Severity: serious
Tags: security
Justification: security issue

strace openssl genrsa 4096

Looking at the output:

open("/dev/urandom", O_RDONLY|O_NOCTTY|O_NONBLOCK) = 3
fstat(3, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 9), ...}) = 0
poll([{fd=3, events=POLLIN}], 1, 10)    = 1 ([{fd=3, revents=POLLIN}])
read(3, 
"\226\21L.\2707\352\242\372_\10T\306\201\320\200\351bU\206\26\2556?\303\360\223\263jw\370j",
 32) = 32
close(3)                                = 0

I’d expect OpenSSL to use more than *at best* 256 bits of
entropy for generating a key of 4096 bits length.

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.13-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/lksh

Versions of packages openssl depends on:
ii  libc6        2.18-4
ii  libssl1.0.0  1.0.1f-1

openssl recommends no packages.

Versions of packages openssl suggests:
ii  ca-bundle [ca-certificates]  20130106+tarent4

-- no debconf information


--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to