Advisories » MGASA-2014-0535

Updated pwgen package fixes security vulnerabilities

Publication date: 19 Dec 2014
Modification date: 19 Dec 2014
Type: security
Affected Mageia releases : 4
CVE: CVE-2013-4440 , CVE-2013-4442

Description

Updated pwgen package fixes security vulnerabilities:

Pwgen was found to generate weak non-tty passwords by default, which could
be brute-forced with a commendable success rate, which could raise security
concerns (CVE-2013-4440).

Pwgen was found to silently falling back to use standard pseudo generated
numbers on the systems that heavily use entropy. Systems, such as those with
a lot of daemons providing encryption services, the entropy was found to be
exhausted, which forces pwgen to fall back to use standard pseudo generated
numbers (CVE-2013-4442).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=14809
• https://lists.fedoraproject.org/pipermail/package-announce/2014-December/146237.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4440
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4442

SRPMS

4/core

• pwgen-2.07-1.mga4