Name | TEMP-0532514-9137E0 |
Description | predictable random number generator used in web browsers |
Source | Automatically generated temporary name. Not for external reference. |
Debian Bugs | 520324, 532514, 532519, 532520, 532521 |
Vulnerable and fixed packages
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|
dillo (PTS) | bookworm, bullseye | 3.0.5-7 | fixed |
| sid, trixie | 3.0.5-7.1 | fixed |
lynx (PTS) | bullseye (security), bullseye | 2.9.0dev.6-3~deb11u1 | fixed |
| bookworm | 2.9.0dev.12-1 | fixed |
| sid, trixie | 2.9.2-1 | fixed |
w3m (PTS) | bullseye | 0.5.3+git20210102-6+deb11u1 | vulnerable |
| sid, trixie, bookworm | 0.5.3+git20230121-2 | vulnerable |
The information below is based on the following data on fixed versions.
Notes
The implementations for UNIX seems fine, might be fixed earlier
[lenny] - webkit <no-dsa> (Minor issue)
w3m doesn't have Javascript support and the boundary issue is harmles
chromium has provides window.crypto.getRandomValues as a strong random number generator
https://code.google.com/p/chromium/issues/detail?id=246054
lynx doesn't have Javascript and form-data support
- dillo <not-affected> (bug #532522)
These issues can be fixed in more recent upstream versions, but the risk
of regression doesn't outweigh the issue at hand