On Tue, 2013-04-16 at 11:11 -0400, manc...@hush.com wrote: > Hello. > > I came across a thread that discusses a recent PostgreSQL security > fix (for CVE-2013-1900). The discussion raises the possibility the > problem lies in OpenSSL's fork protection code. > > Full thread here: http://marc.info/?t=136579421000001&r=1&w=2
If gettimeofday() was mixed in during the RNG reads, the vulnerability would be prevented. Of course it would not prevent the case where the attacker has access to the internal state of the parent process but that is a different attack that could be prevented only by reseeding on forks (or when a pid change is detected). -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org