PT-2026-29290

PAGI::Middleware::Session::Store::Cookie versions through 0.001003 for Perl generates random bytes insecurely. PAGI::Middleware::Session::Store::Cookie attempts to read bytes from the /dev/urandom device directly. If that fails for example, on systems without the device, such as Windows, then it...

CVE-2026-3255

HTTP::Session2 versions before 1.12 for Perl for Perl may generate weak session ids using the rand function. The HTTP::Session2 session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epo...

EUVD-2013-4995

Malware in sbrugna...

SUSE-SU-2025:20042-1 Security update for selinux-policy

This update for selinux-policy fixes the following issues: Update to version 20230523+git25.ad22dd7f: Backport wtmpdb label change to have the same wtmpdb label as in SL Micro 6.1 bsc1229132 Add authrwwtmpdbloginrecords to domains using authmanageloginrecords Add authrwwtmpdbloginrecords to modul...

WordPress Traversal Directory Denial of Service

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'WordPress Traversal Directory DoS', 'Description' = %q Cross-site request forgery CSRF vulnerability in the wpajaxupdateplugin function in...

The Linux CSPRNG Is Now Good!

Oceans of ink and hours on stage have been spent to convince the world that the best random number generator is /dev/urandom, the kernel one. And it is, and its always been. However, an uncomfortable truth was that the Linux CSPRNG really could have been better than it was. Userspace CSPRNGs...

CVE-2019-19702

The modoboa-dmarc plugin 1.1.0 for Modoboa is vulnerable to an XML External Entity Injection XXE attack when processing XML data. A remote attacker could exploit this to perform a denial of service against the DMARC reporting functionality, such as by referencing the /dev/random file within XML...

CVE-2016-6897

Cross-site request forgery CSRF vulnerability in the wpajaxupdateplugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to the checkajaxreferer...

DEBIAN-CVE-2016-6897

Cross-site request forgery CSRF vulnerability in the wpajaxupdateplugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to the checkajaxreferer...

CVE-2016-6897

Cross-site request forgery CSRF vulnerability in the wpajaxupdateplugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to the checkajaxreferer...

Updated gcc packages fix security vulnerability

It was discovered that the std::randomdevice class in libstdc++ would not properly detect short reads and could return predictable values if applications used it to obtain randomness from a blocking source such as /dev/random. CVE-2015-5276...

Scientific Linux Security Update : kernel on SL7.x x86_64 (20150512)

A buffer overflow flaw was found in the way the Linux kernel's Intel AES-NI instructions optimized version of the RFC4106 GCM mode decryption functionality handled fragmented packets. A remote attacker could use this flaw to crash, or potentially escalate their privileges on, a system over a...

/Dev/Random PRNG in Linux Questioned

The sanctity of the dev/random random number generator used in the Linux kernel has been a hot-button issue for more than a month. A petition posted to change.org in September to remove RdRand from dev/random, for example, was met with fury from Linus Torvalds who called the developer who posted ...

Updated perl-Crypt-DSA package fixes security vulnerability

The Crypt::DSA aka Crypt-DSA module 1.17 and earlier for Perl, when /dev/random is absent, uses the Data::Random module, which makes it easier for remote attackers to spoof a signature, or determine the signing key of a signed message, via a brute-force attack CVE-2011-3599. This update removes t...

CVE-2013-5155

The Sandbox subsystem in Apple iOS before 7 allows attackers to cause a denial of service infinite loop via an application that writes crafted values to /dev/random...

Code injection

The Sandbox subsystem in Apple iOS before 7 allows attackers to cause a denial of service infinite loop via an application that writes crafted values to /dev/random...

CVE-2013-5155

CVE-2013-5155 affects Apple iOS prior to 7, specifically the Sandbox subsystem. A malicious or misbehaving app that writes crafted values to /dev/random can trigger an infinite loop, causing a denial of service on the device. Technical detail: the vulnerability arises from how the Sandbox handles...

Fedora 19 : perl-Crypt-DSA-1.17-10.fc19 (2013-15786)

As taught by the '09 Debian PGP disaster relating to DSA, the randomness source is extremely important. On systems without /dev/random, Crypt::DSA falls back to using Data::Random. Data::Random uses rand, about which the perldoc says 'rand is not cryptographically secure. You should not rely on i...

Fedora 18 : perl-Crypt-DSA-1.17-10.fc18 (2013-15755)

As taught by the '09 Debian PGP disaster relating to DSA, the randomness source is extremely important. On systems without /dev/random, Crypt::DSA falls back to using Data::Random. Data::Random uses rand, about which the perldoc says 'rand is not cryptographically secure. You should not rely on i...

Oracle Linux 5 : Important: / kernel (ELSA-2007-0376)

The remote Oracle Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2007-0376 advisory. 2.6.18-8.1.6.0.1.el5 -Fix bonding primary=ethX so it picks correct network Bert Barbe IT 101532 ORA 5136660 -Add entropy module option to e1000 John...