| Name | TEMP-0532514-9137E0 |
| Description | predictable random number generator used in web browsers |
| Source | Automatically generated temporary name. Not for external reference. |
| Debian Bugs | 520324, 532514, 532519, 532520, 532521 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| chromium-browser (PTS) | jessie (security), jessie | 57.0.2987.98-1~deb8u1 | fixed |
| stretch | 69.0.3497.92-1~deb9u1 | fixed |
| stretch (security) | 71.0.3578.80-1~deb9u1 | fixed |
| dillo (PTS) | jessie | 3.0.4-2 | fixed |
| stretch | 3.0.5-3 | fixed |
| buster, sid | 3.0.5-4 | fixed |
| lynx (PTS) | stretch | 2.8.9dev11-1 | fixed |
| buster, sid | 2.8.9rel.1-3 | fixed |
| w3m (PTS) | jessie | 0.5.3-19+deb8u2 | vulnerable |
| stretch | 0.5.3-34+deb9u1 | vulnerable |
| buster, sid | 0.5.3-37 | vulnerable |
The information below is based on the following data on fixed versions.
Notes
The implementations for UNIX seems fine, might be fixed earlier
[lenny] - webkit <no-dsa> (Minor issue)
w3m doesn't have Javascript support and the boundary issue is harmles
chromium has provides window.crypto.getRandomValues as a strong random number generator
https://code.google.com/p/chromium/issues/detail?id=246054
lynx doesn't have Javascript and form-data support
- dillo <not-affected> (bug #532522)
These issues can be fixed in more recent upstream versions, but the risk
of regression doesn't outweigh the issue at hand