CVE-2011-3599
First published: Wed Oct 05 2011(Updated: )
It has been reported that Crypt::DSA, a Perl module for DSA signatures and key generation, used cryptographically weak / insecure method for random numbers generation on systems, where /dev/random file was not present. Due this flaw an attacker could be able to discover some portions of / whole secret DSA key, which has been created on such system. References: [1] <a href="http://secunia.com/advisories/46275/">http://secunia.com/advisories/46275/</a> [2] <a href="https://rt.cpan.org/Public/Bug/Display.html?id=71421">https://rt.cpan.org/Public/Bug/Display.html?id=71421</a> Proposed upstream patch is to remove the affected fallback code part: [3] <a href="https://rt.cpan.org/Public/Bug/Display.html?id=71421#txn-984052">https://rt.cpan.org/Public/Bug/Display.html?id=71421#txn-984052</a> (though not approved yet)
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/perl-Crypt-DSA-1.17 | <10. | 10. |
| Adam Kennedy Crypt-dsa | <=1.17 | |
| Adam Kennedy Crypt-dsa | =0.01 | |
| Adam Kennedy Crypt-dsa | =0.02 | |
| Adam Kennedy Crypt-dsa | =0.03 | |
| Adam Kennedy Crypt-dsa | =0.10 | |
| Adam Kennedy Crypt-dsa | =0.11 | |
| Adam Kennedy Crypt-dsa | =0.12 | |
| Adam Kennedy Crypt-dsa | =0.13 | |
| Adam Kennedy Crypt-dsa | =0.14 | |
| Adam Kennedy Crypt-dsa | =0.15_01 | |
| Adam Kennedy Crypt-dsa | =1.16 | |
| Perl Perl |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://rt.cpan.org/Public/Bug/Display.html?id=71421
- https://bugzilla.redhat.com/show_bug.cgi?id=743567
- http://www.openwall.com/lists/oss-security/2011/10/05/9
- http://www.openwall.com/lists/oss-security/2011/10/05/5
- http://secunia.com/advisories/46275
- http://www.securityfocus.com/bid/49928
- http://osvdb.org/76025
- http://secunia.com/advisories/46275/
- https://rt.cpan.org/Public/Bug/Display.html?id=71421#txn-984052
- https://access.redhat.com/security/cve/CVE-2011-3599
- collector/nvd-historical
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/author
- agent/references
- agent/last-modified-date
- agent/weakness
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2011-3599
- agent/software-canonical-lookup
- agent/tags
- agent/event
- vendor/adam kennedy
- canonical/adam kennedy crypt-dsa
- version/adam kennedy crypt-dsa/1.17
- version/adam kennedy crypt-dsa/0.01
- version/adam kennedy crypt-dsa/0.02
- version/adam kennedy crypt-dsa/0.03
- version/adam kennedy crypt-dsa/0.10
- version/adam kennedy crypt-dsa/0.11
- version/adam kennedy crypt-dsa/0.12
- version/adam kennedy crypt-dsa/0.13
- version/adam kennedy crypt-dsa/0.14
- version/adam kennedy crypt-dsa/0.15_01
- version/adam kennedy crypt-dsa/1.16
- vendor/perl
- canonical/perl perl
- package-manager/redhat