TEMP-0532514-9137E0

NameTEMP-0532514-9137E0
Descriptionpredictable random number generator used in web browsers
SourceAutomatically generated temporary name. Not for external reference.
Debian Bugs520324, 532514, 532519, 532520, 532521

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
chromium-browser (PTS)stretch70.0.3538.110-1~deb9u1fixed
stretch (security)71.0.3578.80-1~deb9u1fixed
dillo (PTS)stretch3.0.5-3fixed
buster3.0.5-5fixed
bookworm, sid, bullseye3.0.5-7fixed
lynx (PTS)stretch2.8.9dev11-1fixed
stretch (security)2.8.9dev11-1+deb9u1fixed
buster2.8.9rel.1-3fixed
buster (security)2.8.9rel.1-3+deb10u1fixed
bullseye2.9.0dev.6-2fixed
bullseye (security)2.9.0dev.6-3~deb11u1fixed
bookworm, sid2.9.0dev.9-2fixed
w3m (PTS)stretch0.5.3-34+deb9u1vulnerable
buster0.5.3-37vulnerable
bookworm, sid, bullseye0.5.3+git20210102-6vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
chromium-browsersourcesqueeze(unfixed)end-of-life
chromium-browsersource(unstable)26.0.1410.43-1520324
dillosource(unstable)(not affected)
kdebasesource(unstable)(unfixed)unimportant532519
lynxsource(unstable)2.8.7rel.1-1unimportant532520
w3msource(unstable)(unfixed)unimportant532521
webkitsource(unstable)1.2low532514

Notes

The implementations for UNIX seems fine, might be fixed earlier
[lenny] - webkit <no-dsa> (Minor issue)
w3m doesn't have Javascript support and the boundary issue is harmles
chromium has provides window.crypto.getRandomValues as a strong random number generator
https://code.google.com/p/chromium/issues/detail?id=246054
lynx doesn't have Javascript and form-data support
- dillo <not-affected> (bug #532522)
These issues can be fixed in more recent upstream versions, but the risk
of regression doesn't outweigh the issue at hand

Search for package or bug name: Reporting problems