Package: php5 Version: 5.2.6-3 Severity: important Tags: security
>From CVE-2008-4107: The (1) rand and (2) mt_rand functions in PHP 5.2.6 do not produce cryptographically strong random numbers, which allows attackers to leverage exposures in products that rely on these functions for security-relevant functionality, as demonstrated by the password-reset functionality in Joomla! 1.5.x and WordPress before 2.6.2, a different vulnerability than CVE-2008-2107, CVE-2008-2108, and CVE-2008-4102. The advisory http://www.suspekt.org/2008/08/17/mt_srand-and-not-so-random-numbers/ talks about a new suhosin release that fixes this in php and not in the applications. Maybe this fix could be backported to lenny once it becomes available? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
