Name | TEMP-0532514-9137E0 |
Description | predictable random number generator used in web browsers |
Source | Automatically generated temporary name. Not for external reference. |
Debian Bugs | 520324, 532514, 532519, 532520, 532521 |
Vulnerable and fixed packages
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|
dillo (PTS) | buster | 3.0.5-5 | fixed |
| sid, trixie, bookworm, bullseye | 3.0.5-7 | fixed |
lynx (PTS) | buster, buster (security) | 2.8.9rel.1-3+deb10u1 | fixed |
| bullseye (security), bullseye | 2.9.0dev.6-3~deb11u1 | fixed |
| sid, trixie, bookworm | 2.9.0dev.12-1 | fixed |
w3m (PTS) | buster | 0.5.3-37 | vulnerable |
| buster (security) | 0.5.3-37+deb10u1 | vulnerable |
| bullseye | 0.5.3+git20210102-6+deb11u1 | vulnerable |
| sid, trixie, bookworm | 0.5.3+git20230121-2 | vulnerable |
The information below is based on the following data on fixed versions.
Notes
The implementations for UNIX seems fine, might be fixed earlier
[lenny] - webkit <no-dsa> (Minor issue)
w3m doesn't have Javascript support and the boundary issue is harmles
chromium has provides window.crypto.getRandomValues as a strong random number generator
https://code.google.com/p/chromium/issues/detail?id=246054
lynx doesn't have Javascript and form-data support
- dillo <not-affected> (bug #532522)
These issues can be fixed in more recent upstream versions, but the risk
of regression doesn't outweigh the issue at hand