Package: tinyca Version: 0.7.5-5 Severity: important Tags: security Tinyca apparently uses /dev/urandom when generating keys. This can produce weak keys, as the source of data may not be sufficiently random.
After running: strace -o tinyca2.log tinyca2 And generating a new key in the UI, it appears to have used /dev/urandom: grep random tinyca2.log Given the security implications, this should probably get upgraded to an RC bug and fixed for jessie... live well, vagrant -- System Information: Debian Release: 8.0 APT prefers testing APT policy: (500, 'testing'), (120, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386, armhf Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages tinyca depends on: ii libgtk2-perl 2:1.2492-4 ii liblocale-gettext-perl 1.05-8+b1 ii openssl 1.0.1k-1 Versions of packages tinyca recommends: ii zip 3.0-8 tinyca suggests no packages. -- no debconf information
signature.asc
Description: PGP signature
