(November 29, 2007)
A flaw in the pseudo random number generator (PRNG) OpenSSL
cryptographic module means that "generated random data is far more
predictable than it should be." The Open Source Software Institute has
released both a patch and a workaround for the flaw. Federal users are
faced with a dilemma regarding the fix. Federal agencies are required
to use FIPS-certified cryptographic products. The patch has not been
certified, so the agencies must choose between running unpatched
versions of the software or applying the patch and falling out of
compliance. A new version of OpenSSL that does not have the flaw is
currently undergoing FIPS testing.
http://www.gcn.com/online/vol1_no1/4...ty&CMP=OTC-RSS
[Editor's Note (Schultz): This kind of dilemma occurs too often in the
compliance arena. Compliance is by its very nature a more slow and
gradual process. Urgency and patching, on the other hand, go
hand-in-hand.
(Northcutt): I will not even ask how a non-random version passed the
Government's crypto testing in the first place. This does need to be
fixed. Please keep in mind that you may be running OpenSSL and not know
it. If I remember right there was a nasty bug a while back and a LOT of
commercial products were found to be using OpenSSL. I wrote a paper a
while back on TLS and getting FIPS approval. As this story unfolds, I
will update it. The paper is located and under that is the OpenSSL
advisory:
http://www.sans.edu/resources/securitylab/296.php
http://openssl.org/news/secadv_20071129.txt ]
Add to del.icio.us 
Can you digg it?
Linear Mode
