2008/9/24 Stefan Fritsch <[EMAIL PROTECTED]>: > Package: php5 > Version: 5.2.6-3 > Severity: important > Tags: security > > > >From CVE-2008-4107: > The (1) rand and (2) mt_rand functions in PHP 5.2.6 do not produce > cryptographically strong random numbers, which allows attackers to > leverage exposures in products that rely on these functions for > security-relevant functionality, as demonstrated by the password-reset > functionality in Joomla! 1.5.x and WordPress before 2.6.2, a different > vulnerability than CVE-2008-2107, CVE-2008-2108, and CVE-2008-4102.
IIRC it is just about calling mt_rand a couple of times every now and then without using the generated values. > > > The advisory > http://www.suspekt.org/2008/08/17/mt_srand-and-not-so-random-numbers/ > talks about a new suhosin release that fixes this in php and not in the > applications. Maybe this fix could be backported to lenny once it becomes > available? Blocked by #498621, see #497871 > > > Cheers, -- Atomo64 - Raphael Please avoid sending me Word, PowerPoint or Excel attachments. See http://www.gnu.org/philosophy/no-word-attachments.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
