CVE-2011-3599
First published: Wed Oct 05 2011(Updated: )
It has been reported that Crypt::DSA, a Perl module for DSA signatures and key generation, used cryptographically weak / insecure method for random numbers generation on systems, where /dev/random file was not present. Due this flaw an attacker could be able to discover some portions of / whole secret DSA key, which has been created on such system. References: [1] <a href="http://secunia.com/advisories/46275/">http://secunia.com/advisories/46275/</a> [2] <a href="https://rt.cpan.org/Public/Bug/Display.html?id=71421">https://rt.cpan.org/Public/Bug/Display.html?id=71421</a> Proposed upstream patch is to remove the affected fallback code part: [3] <a href="https://rt.cpan.org/Public/Bug/Display.html?id=71421#txn-984052">https://rt.cpan.org/Public/Bug/Display.html?id=71421#txn-984052</a> (though not approved yet)
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/perl-Crypt-DSA-1.17 | <10. | 10. |
| Crypt-DSA (Adam Kennedy) | <=1.17 | |
| Crypt-DSA (Adam Kennedy) | =0.01 | |
| Crypt-DSA (Adam Kennedy) | =0.02 | |
| Crypt-DSA (Adam Kennedy) | =0.03 | |
| Crypt-DSA (Adam Kennedy) | =0.10 | |
| Crypt-DSA (Adam Kennedy) | =0.11 | |
| Crypt-DSA (Adam Kennedy) | =0.12 | |
| Crypt-DSA (Adam Kennedy) | =0.13 | |
| Crypt-DSA (Adam Kennedy) | =0.14 | |
| Crypt-DSA (Adam Kennedy) | =0.15_01 | |
| Crypt-DSA (Adam Kennedy) | =1.16 | |
| Perl 5.30.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://rt.cpan.org/Public/Bug/Display.html?id=71421
- https://bugzilla.redhat.com/show_bug.cgi?id=743567
- http://www.openwall.com/lists/oss-security/2011/10/05/9
- http://www.openwall.com/lists/oss-security/2011/10/05/5
- http://secunia.com/advisories/46275
- http://www.securityfocus.com/bid/49928
- http://osvdb.org/76025
- http://secunia.com/advisories/46275/
- https://rt.cpan.org/Public/Bug/Display.html?id=71421#txn-984052
- https://access.redhat.com/security/cve/CVE-2011-3599
Frequently Asked Questions
What is the severity of CVE-2011-3599?
CVE-2011-3599 is considered a high severity vulnerability due to its potential to allow attackers to compromise cryptographic security.
How do I fix CVE-2011-3599?
To fix CVE-2011-3599, you should upgrade the Crypt::DSA Perl module to version 1.17 or later.
Which versions of Crypt::DSA are affected by CVE-2011-3599?
CVE-2011-3599 affects Crypt::DSA versions prior to 1.17, including versions 0.01 through 1.16.
What kind of flaw is CVE-2011-3599?
CVE-2011-3599 is a cryptographic flaw involving weak random number generation.
Who is the vendor of the affected software in CVE-2011-3599?
The affected software, Crypt::DSA, is maintained by Adam Kennedy.
- collector/nvd-historical
- agent/type
- agent/first-publish-date
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/author
- agent/references
- agent/last-modified-date
- agent/weakness
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2011-3599
- agent/software-canonical-lookup
- agent/event
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/adam kennedy
- canonical/crypt-dsa (adam kennedy)
- version/crypt-dsa (adam kennedy)/1.17
- version/crypt-dsa (adam kennedy)/0.01
- version/crypt-dsa (adam kennedy)/0.02
- version/crypt-dsa (adam kennedy)/0.03
- version/crypt-dsa (adam kennedy)/0.10
- version/crypt-dsa (adam kennedy)/0.11
- version/crypt-dsa (adam kennedy)/0.12
- version/crypt-dsa (adam kennedy)/0.13
- version/crypt-dsa (adam kennedy)/0.14
- version/crypt-dsa (adam kennedy)/0.15_01
- version/crypt-dsa (adam kennedy)/1.16
- vendor/perl
- canonical/perl 5.30.0