Unsafe use of g_random_int()
Richard Laager
rlaager at wiktel.com
Sat Aug 15 12:46:07 EDT 2015
On 08/15/2015 11:30 AM, Ethan Blanton wrote:
> Mike is prepared to put a CSPRNG in purple 2 (using
> /dev/urandom), and purple 3 will have a proper RNG interface in
> purple_util (using an SSL library if available, and urandom if not).
Why can't the proper RNG interface go into purple 2 with a minor version
bump?
> But ... do we just publish the CVE, fix it and let it sit until the
> next purple-2 release, or do we coordinate a purple-2 release for
> shortly after GSoC with this fix in place? Thoughts?
I think we should release as soon as possible. Cutting another release,
for any reason, will allow us to get the signatures right. We're getting
complaints about the Windows installer and about Mark's signatures on
the tarballs being from an old, revoked key.
--
Richard
More information about the security
mailing list