---------------------------------------------------------------------- Want a new IT Security job? Vacant positions at Secunia: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Perl Net::SSLeay Module Entropy Source Manipulation SECUNIA ADVISORY ID: SA15207 VERIFY ADVISORY: http://secunia.com/advisories/15207/ CRITICAL: Less critical IMPACT: Manipulation of data WHERE: Local system SOFTWARE: Net::SSLeay 1.x (module for Perl) http://secunia.com/product/5038/ DESCRIPTION: Javier Fernandez-Sanguino Pena has reported a vulnerability in the Net::SSLeay module for Perl, which can be exploited by malicious, local users to weaken certain cryptographic operations. The vulnerability is caused due an error where the entropy source is improperly taken from a temporary file if the "EGD_PATH" environment variable is not defined. This can be exploited to weaken certain cryptographic operations via a "/tmp/entropy" file with known contents. SOLUTION: Set the "EGD_PATH" environment variable. PROVIDED AND/OR DISCOVERED BY: Javier Fernandez-Sanguino Pena ORIGINAL ADVISORY: http://www.ubuntulinux.org/support/documentation/usn/usn-113-1 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------