CVE-2019-1549

NameCVE-2019-1549
DescriptionOpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openssl (PTS)jessie1.0.1t-1+deb8u8fixed
jessie (security)1.0.1t-1+deb8u11fixed
stretch (security), stretch1.1.0k-1~deb9u1fixed
bullseye, buster1.1.1c-1vulnerable
sid1.1.1d-1fixed
openssl1.0 (PTS)stretch (security), stretch1.0.2s-1~deb9u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
opensslsource(unstable)1.1.1d-1medium
opensslsourcejessie(not affected)
opensslsourcestretch(not affected)
openssl1.0source(unstable)(not affected)

Notes

[stretch] - openssl <not-affected> (Only affects OpenSSL 1.1.1 to 1.1.1c)
[jessie] - openssl <not-affected> (Only affects OpenSSL 1.1.1 to 1.1.1c)
- openssl1.0 <not-affected> (Only affects OpenSSL 1.1.1 to 1.1.1c)
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be
https://www.openssl.org/news/secadv/20190910.txt

Search for package or bug name: Reporting problems