TEMP-0532514-9137E0

NameTEMP-0532514-9137E0
Descriptionpredictable random number generator used in web browsers
SourceAutomatically generated temporary name. Not for external reference.
Debian Bugs520324, 532514, 532519, 532520, 532521

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
dillo (PTS)bookworm, bullseye3.0.5-7fixed
sid, trixie3.0.5-7.1fixed
lynx (PTS)bullseye (security), bullseye2.9.0dev.6-3~deb11u1fixed
bookworm2.9.0dev.12-1fixed
sid, trixie2.9.2-1fixed
w3m (PTS)bullseye0.5.3+git20210102-6+deb11u1vulnerable
sid, trixie, bookworm0.5.3+git20230121-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
chromium-browsersourcesqueeze(unfixed)end-of-life
chromium-browsersource(unstable)26.0.1410.43-1520324
dillosource(unstable)(not affected)
kdebasesource(unstable)(unfixed)unimportant532519
lynxsource(unstable)2.8.7rel.1-1unimportant532520
w3msource(unstable)(unfixed)unimportant532521
webkitsource(unstable)1.2low532514

Notes

The implementations for UNIX seems fine, might be fixed earlier
[lenny] - webkit <no-dsa> (Minor issue)
w3m doesn't have Javascript support and the boundary issue is harmles
chromium has provides window.crypto.getRandomValues as a strong random number generator
https://code.google.com/p/chromium/issues/detail?id=246054
lynx doesn't have Javascript and form-data support
- dillo <not-affected> (bug #532522)
These issues can be fixed in more recent upstream versions, but the risk
of regression doesn't outweigh the issue at hand

Search for package or bug name: Reporting problems