| Name | TEMP-0532514-9137E0 |
| Description | predictable random number generator used in web browsers |
| Source | Automatically generated temporary name. Not for external reference. |
| Debian Bugs | 520324, 532514, 532519, 532520, 532521 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| chromium-browser (PTS) | stretch | 70.0.3538.110-1~deb9u1 | fixed |
| stretch (security) | 71.0.3578.80-1~deb9u1 | fixed |
| dillo (PTS) | stretch | 3.0.5-3 | fixed |
| buster | 3.0.5-5 | fixed |
| bookworm, sid, bullseye | 3.0.5-7 | fixed |
| lynx (PTS) | stretch | 2.8.9dev11-1 | fixed |
| stretch (security) | 2.8.9dev11-1+deb9u1 | fixed |
| buster, buster (security) | 2.8.9rel.1-3+deb10u1 | fixed |
| bullseye (security), bullseye | 2.9.0dev.6-3~deb11u1 | fixed |
| bookworm, sid | 2.9.0dev.10-1 | fixed |
| w3m (PTS) | stretch | 0.5.3-34+deb9u1 | vulnerable |
| buster | 0.5.3-37 | vulnerable |
| bookworm, sid, bullseye | 0.5.3+git20210102-6 | vulnerable |
The information below is based on the following data on fixed versions.
Notes
The implementations for UNIX seems fine, might be fixed earlier
[lenny] - webkit <no-dsa> (Minor issue)
w3m doesn't have Javascript support and the boundary issue is harmles
chromium has provides window.crypto.getRandomValues as a strong random number generator
https://code.google.com/p/chromium/issues/detail?id=246054
lynx doesn't have Javascript and form-data support
- dillo <not-affected> (bug #532522)
These issues can be fixed in more recent upstream versions, but the risk
of regression doesn't outweigh the issue at hand