Advisories » MGASA-2013-0289

Updated perl-Crypt-DSA package fixes security vulnerability

Publication date: 24 Sep 2013
Modification date: 24 Sep 2013
Type: security
Affected Mageia releases : 2 , 3
CVE: CVE-2011-3599

Description

The Crypt::DSA (aka Crypt-DSA) module 1.17 and earlier for Perl, when
/dev/random is absent, uses the Data::Random module, which makes it easier
for remote attackers to spoof a signature, or determine the signing key of
a signed message, via a brute-force attack (CVE-2011-3599).

This update removes the fallback to Data::Random.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=11226
• https://lists.fedoraproject.org/pipermail/package-announce/2013-September/115603.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3599

SRPMS

2/core

• perl-Crypt-DSA-1.170.0-1.1.mga2

3/core

• perl-Crypt-DSA-1.170.0-2.1.mga3