{
  "schema_version": "1.7.0",
  "id": "MGASA-2014-0535",
  "published": "2014-12-19T15:06:35Z",
  "modified": "2014-12-19T14:58:14Z",
  "summary": "Updated pwgen package fixes security vulnerabilities",
  "details": "Updated pwgen package fixes security vulnerabilities:\n\nPwgen was found to generate weak non-tty passwords by default, which could\nbe brute-forced with a commendable success rate, which could raise security\nconcerns (CVE-2013-4440).\n\nPwgen was found to silently falling back to use standard pseudo generated\nnumbers on the systems that heavily use entropy. Systems, such as those with\na lot of daemons providing encryption services, the entropy was found to be\nexhausted, which forces pwgen to fall back to use standard pseudo generated\nnumbers (CVE-2013-4442).\n",
  "upstream": [
    "CVE-2013-4440",
    "CVE-2013-4442"
  ],
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://advisories.mageia.org/MGASA-2014-0535.html"
    },
    {
      "type": "REPORT",
      "url": "https://bugs.mageia.org/show_bug.cgi?id=14809"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/pipermail/package-announce/2014-December/146237.html"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Mageia:4",
        "name": "pwgen",
        "purl": "pkg:rpm/mageia/pwgen?arch=source&distro=mageia-4"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.07-1.mga4"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "section": "core"
      }
    }
  ],
  "credits": [
    {
      "name": "Mageia",
      "type": "COORDINATOR",
      "contact": [
        "https://wiki.mageia.org/en/Packages_Security_Team"
      ]
    }
  ]
}