Fedora has issued an advisory on September 4: https://lists.fedoraproject.org/pipermail/package-announce/2013-September/115603.html Fedora patch to fix this issue: http://pkgs.fedoraproject.org/cgit/perl-Crypt-DSA.git/plain/remove-fallback.patch?id=aadaaacc0620568258e1311124accebc22be8c83 Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO, MGA2TOO
I have uploaded patched packages for Mageia 2 and 3. No idea how to test it. Suggested advisory: ======================== The Crypt::DSA (aka Crypt-DSA) module 1.17 and earlier for Perl, when /dev/random is absent, uses the Data::Random module, which makes it easier for remote attackers to spoof a signature, or determine the signing key of a signed message, via a brute-force attack. This update removes the fallback to Data::Random. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3599 http://lwn.net/Vulnerabilities/566719/ ======================== Updated packages in core/updates_testing: ======================== Mageia 3: perl-Crypt-DSA-1.170.0-2.1.mga3.noarch.rpm Source RPM: perl-Crypt-DSA-1.170.0-2.1.mga3.src.rpm Mageia 2: perl-Crypt-DSA-1.170.0-1.1.mga2.noarch.rpm Source RPM: perl-Crypt-DSA-1.170.0-1.1.mga2.src.rpm
CC: (none) => mageiaVersion: Cauldron => 3Assignee: jquelin => qa-bugsWhiteboard: MGA3TOO, MGA2TOO => MGA2TOO
Thanks Sander! Just making some minor formatting changes to the advisory. Suggested advisory: ======================== The Crypt::DSA (aka Crypt-DSA) module 1.17 and earlier for Perl, when /dev/random is absent, uses the Data::Random module, which makes it easier for remote attackers to spoof a signature, or determine the signing key of a signed message, via a brute-force attack (CVE-2011-3599). This update removes the fallback to Data::Random. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3599 https://lists.fedoraproject.org/pipermail/package-announce/2013-September/115603.html ======================== Updated packages in core/updates_testing: ======================== perl-Crypt-DSA-1.170.0-1.1.mga2 perl-Crypt-DSA-1.170.0-2.1.mga3 Source RPMs: perl-Crypt-DSA-1.170.0-1.1.mga2.src.rpm perl-Crypt-DSA-1.170.0-2.1.mga3.src.rpm
Advisory 11226.adv committed to svn.
CC: (none) => davidwhodgins
Created attachment 4373 [details] perl script for testing perl-Crypt-DSA
Testing complete on Mageia 2 i586. Before the update, after temporarily renaming /dev/random and /dev/urandom) Script fails with Can't locate Data/Random.pm. After the update it fails with makerandom requires /dev/random. After renaming /dev/random and urandom back to normal, the script works. Note that there is no output. Using strace output to verify it's working. I'll test x86_64 and Mageia 3 shortly.
Whiteboard: MGA2TOO => MGA2TOO MGA2-32-OK
Testing complete. Someone from the sysadmin team please push 11226.adv to updates.
Keywords: (none) => validated_updateWhiteboard: MGA2TOO MGA2-32-OK => MGA2TOO MGA2-32-OK MGA2-64-OK MGA3-64-OK MGA3-32-OKCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0289.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED