[
https://issues.apache.org/jira/browse/LANG-1607?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17199606#comment-17199606
]
Jonathan Leitschuh commented on LANG-1607:
------------------------------------------
> See e.g. this github PR, which is being replicated THOUSANDS of times
I ended up generating 3,880 pull requests. I already had a bit of this debate
with the apache lang team here:
[https://github.com/apache/commons-lang/pull/459]
> To aid with CVE-2019-16303, consider upgrading RandomStringUtils default RNG
> ----------------------------------------------------------------------------
>
> Key: LANG-1607
> URL: https://issues.apache.org/jira/browse/LANG-1607
> Project: Commons Lang
> Issue Type: Bug
> Reporter: Frank Ch. Eigler
> Priority: Major
>
> In [https://nvd.nist.gov/vuln/detail/CVE-2019-16303] , the
> org.apache.commons.lang3.RandomStringUtils randomAlphanumeric() function is
> used to generate random strings. Because of weaknesses of the default RNG,
> this allows baddies to predict other randomAlphnumeric() results, which in
> this large family of client programs, results in severe vulnerabilities.
> While the class is not documented to be "cryptographically safe", it would be
> prudent to upgrade the default RNG used in these classes to be crypto-usable
> level, such as with the java.security.SecureRandom nextBytes().
> See e.g. this github PR, which is being replicated THOUSANDS of times, in
> order to work around this problem in countless users of this library.
> [https://github.com/elderdb/neptune/pull/1]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
