TEMP-0532514-9137E0

Name	TEMP-0532514-9137E0
Description	predictable random number generator used in web browsers
Source	Automatically generated temporary name. Not for external reference.
Debian Bugs	520324, 532514, 532519, 532520, 532521

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
chromium-browser (PTS)	wheezy, wheezy (security)	37.0.2062.120-1~deb7u1	fixed
	jessie (security), jessie	57.0.2987.98-1~deb8u1	fixed
	stretch	62.0.3202.89-1~deb9u1	fixed
	stretch (security)	64.0.3282.119-1~deb9u1	fixed
	buster	62.0.3202.89-1	fixed
	sid	66.0.3359.26-2	fixed
dillo (PTS)	wheezy	3.0.2-2	fixed
	jessie	3.0.4-2	fixed
	stretch	3.0.5-3	fixed
	buster, sid	3.0.5-4	fixed
lynx (PTS)	stretch	2.8.9dev11-1	fixed
	buster, sid	2.8.9dev17-1	fixed
w3m (PTS)	wheezy	0.5.3-8	vulnerable
	jessie	0.5.3-19+deb8u2	vulnerable
	stretch	0.5.3-34+deb9u1	vulnerable
	buster, sid	0.5.3-36	vulnerable
webkit (PTS)	wheezy	1.8.1-3.4	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Debian Bugs
chromium-browser	source	(unstable)	26.0.1410.43-1		520324
chromium-browser	source	squeeze	(unfixed)	end-of-life
dillo	source	(unstable)	(not affected)
kdebase	source	(unstable)	(unfixed)	unimportant	532519
lynx	source	(unstable)	2.8.7rel.1-1	unimportant	532520
w3m	source	(unstable)	(unfixed)	unimportant	532521
webkit	source	(unstable)	1.2	low	532514

Notes

The implementations for UNIX seems fine, might be fixed earlier
[lenny] - webkit <no-dsa> (Minor issue)
w3m doesn't have Javascript support and the boundary issue is harmles
chromium has provides window.crypto.getRandomValues as a strong random number generator
https://code.google.com/p/chromium/issues/detail?id=246054
lynx doesn't have Javascript and form-data support
- dillo <not-affected> (bug #532522)
These issues can be fixed in more recent upstream versions, but the risk
of regression doesn't outweigh the issue at hand