TEMP-0532514-9137E0

NameTEMP-0532514-9137E0
Descriptionpredictable random number generator used in web browsers
SourceAutomatically generated temporary name. Not for external reference.
Debian Bugs520324, 532514, 532519, 532520, 532521

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
chromium-browser (PTS)jessie (security), jessie57.0.2987.98-1~deb8u1fixed
stretch63.0.3239.84-1~deb9u1fixed
stretch (security)69.0.3497.92-1~deb9u1fixed
buster, sid69.0.3497.92-1fixed
dillo (PTS)jessie3.0.4-2fixed
stretch3.0.5-3fixed
buster, sid3.0.5-4fixed
lynx (PTS)stretch2.8.9dev11-1fixed
buster, sid2.8.9rel.1-2fixed
w3m (PTS)jessie0.5.3-19+deb8u2vulnerable
stretch0.5.3-34+deb9u1vulnerable
buster, sid0.5.3-36vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
chromium-browsersource(unstable)26.0.1410.43-1520324
chromium-browsersourcesqueeze(unfixed)end-of-life
dillosource(unstable)(not affected)
kdebasesource(unstable)(unfixed)unimportant532519
lynxsource(unstable)2.8.7rel.1-1unimportant532520
w3msource(unstable)(unfixed)unimportant532521
webkitsource(unstable)1.2low532514

Notes

The implementations for UNIX seems fine, might be fixed earlier
[lenny] - webkit <no-dsa> (Minor issue)
w3m doesn't have Javascript support and the boundary issue is harmles
chromium has provides window.crypto.getRandomValues as a strong random number generator
https://code.google.com/p/chromium/issues/detail?id=246054
lynx doesn't have Javascript and form-data support
- dillo <not-affected> (bug #532522)
These issues can be fixed in more recent upstream versions, but the risk
of regression doesn't outweigh the issue at hand

Search for package or bug name: Reporting problems