Fedora has issued an advisory on December 6: https://lists.fedoraproject.org/pipermail/package-announce/2014-December/146237.html The issues are fixed upstream in 2.07. The update is checked into Mageia 4 and Cauldron SVN. Freeze push requested for Cauldron. Reproducible: Steps to Reproduce:
URL: (none) => http://lwn.net/Vulnerabilities/626425/
Updated packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated pwgen package fixes security vulnerabilities: Pwgen was found to generate weak non-tty passwords by default, which could be brute-forced with a commendable success rate, which could raise security concerns (CVE-2013-4440). Pwgen was found to silently falling back to use standard pseudo generated numbers on the systems that heavily use entropy. Systems, such as those with a lot of daemons providing encryption services, the entropy was found to be exhausted, which forces pwgen to fall back to use standard pseudo generated numbers (CVE-2013-4442). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4440 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4442 https://lists.fedoraproject.org/pipermail/package-announce/2014-December/146237.html ======================== Updated packages in core/updates_testing: ======================== pwgen-2.07-1.mga4 from pwgen-2.07-1.mga4.src.rpm
Version: Cauldron => 4Assignee: bugsquad => qa-bugs
Testing on Mageia4x32 real hardware Didn't find any PoC concerning security vulnerabilities so tested current and testing packages to see if any regression could be found. Current package : ---------------- pwgen-2.06-9.mga4 Generated 3 aleatory passwords with 9 characters $ pwgen 9 3 Wah7xeixe yaipaej9A veum2zieG Re-did it to verify it didn't give same result = OK Same with a password by line $ pwgen -1 9 3 Wae9ohngu yij3Zae9c aeChoo0Vi In a directory containing a file named boite.jpg Generate a non-aleatory password from this file and word mageia : $ pwgen -sy -H boite.jpg#mageia 9 3 [|3ir^qJl U}9hcF7L/ ][/F1)j=^ Did it a second time to verify it gave same results = OK Updated testing package : ----------------------- pwgen-2.07-1.mga4 Ran same tests, all OK, verified that pwgen -sy -H boite.jpg#mageia 9 3 still gave same result = OK
CC: (none) => olchalWhiteboard: (none) => MGA4-32-OK
Testing on Mageia4x64 real hardware using same procedure as in comment 2 From pwgen-2.06-9.mga4 To pwgen-2.07-1.mga4 All OK
Whiteboard: MGA4-32-OK => MGA4-32-OK MGA4-64-OK
Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA4-32-OK MGA4-64-OK => advisory has_procedure MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0535.html
Status: NEW => RESOLVEDResolution: (none) => FIXED