Package: pwgen Severity: grave Tags: security Justification: user security hole
Hi Theodore, multiple CVEs were just assigned to pwgen, following the analysis by Solar Designer and other people (see thread at http://marc.info/?l=oss-security&m=138015793928431&w=2) CVE-2013-4440 non-tty passwords are trivially weak by default CVE-2013-4441 Phonemes mode has heavy bias and is enabled by default CVE-2013-4442 Silent fallback to insecure entropy CVE-2013-4443 Secure mode has bias towards numbers and uppercase letters I'm not too sure how to handle that, especially for stable releases, since it seems major refactoring might be needed to get rid of the weaknesses and bias. Regards, -- Yves-Alexis Perez Debian Security -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (450, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.10-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
