FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Erlang -- ssh library uses a weak random number generator

Affected packages
erlang < r14b03

Details

VuXML ID e4833927-86e5-11e0-a6b4-000a5e1e33c6
Discovery 2011-05-25
Entry 2011-05-25

US-CERT reports:

The Erlang/OTP ssh library implements a number of cryptographic operations that depend on cryptographically strong random numbers. Unfortunately the RNG used by the library is not cryptographically strong, and is further weakened by the use of predictable seed material. The RNG (Wichman-Hill) is not mixed with an entropy source.

References

CVE Name CVE-2011-0766
URL http://www.erlang.org/download/otp_src_R14B03.readme
URL https://github.com/erlang/otp/commit/f228601de45c5b53241b103af6616453c50885a5