[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] [SECURITY] [DSA 2833-1] openssl security update

To: Full Disclosure <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] [SECURITY] [DSA 2833-1] openssl security update
From: coderman <coderman@xxxxxxxxx>
Date: Wed, 1 Jan 2014 04:36:52 -0800

On Wed, Jan 1, 2014 at 4:09 AM, Moritz Muehlenhoff <jmm@xxxxxxxxxx> wrote:
> ... In addition this update [...]
> no longer uses the RdRand feature available on some
> Intel CPUs as a sole source of entropy unless explicitly requested.

no CVE for the oops you were entirely dependent on RDRAND issue,
 predictable.

no release from OpenSSL with fix either? ... hard to check right now,
i think their site had some issues lately. *cough*

no list of affected packages, who may have generated potentially week
long-lived keys if a future leak or other incident identifies RDRAND
as mass produced and distributed vulnerable to attacks against key
space / DRBG output.

i know we're all fucked six ways to sunday[0],
 but is that sufficient excuse to slack off or conveniently shy away?

best regards,

0. "QFIRE Pilot Lead"
  http://cryptome.org/2013/12/nsa-qfire.pdf
extrapolate QFIRE, BULLRUN, QUANTUM* to FY 2013
 and it is hard not to feel a bit hopeless...
  ... must find a way to detao ourselves!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] [SECURITY] [DSA 2833-1] openssl security update
  - From: Moritz Muehlenhoff

Prev by Date: [Full-disclosure] [SECURITY] [DSA 2833-1] openssl security update
Next by Date: [Full-disclosure] Tool Update: Bing-ip2hosts version 0.4
Previous by thread: [Full-disclosure] [SECURITY] [DSA 2833-1] openssl security update
Next by thread: [Full-disclosure] Tool Update: Bing-ip2hosts version 0.4
Index(es):
- Date
- Thread