Candidate: CVE-2011-0766
PublicDate: 2011-05-31 20:55:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0766
 http://www.kb.cert.org/vuls/id/178990
Description:
 The random number generator in the Crypto application before 2.0.2.2, and
 SSH before 2.0.5, as used in the Erlang/OTP ssh library before R14B03, uses
 predictable seeds based on the current time, which makes it easier for
 remote attackers to guess DSA host and SSH session keys.
Ubuntu-Description:
Notes:
 jdstrand> Debian squeeze has fix in 1:14.a-dfsg-3squeeze1
 mdeslaur> erlang-ssh in in universe in lucid and natty. Patch only
 mdeslaur> adds new functions to crypto library, doesn't change existing
 mdeslaur> ones, so downgrading priority.
 mdeslaur> Backport is difficult due to appup changes.
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628456
Priority: low
Discovered-by: Geoff Cant
Assigned-to:
CVSS: 

Patches_erlang:
 other: https://github.com/erlang/otp/commit/f228601de45c5b53241b103af6616453c50885a5
upstream_erlang: released (1:14.b.3-dfsg-2, 1:15.b.1-dfsg-3)
hardy_erlang: ignored (reached end-of-life)
lucid_erlang: ignored (reached end-of-life)
maverick_erlang: ignored (reached end-of-life)
natty_erlang: ignored (reached end-of-life)
oneiric_erlang: ignored (reached end-of-life)
precise_erlang: not-affected (1:14.b.4-dfsg-1ubuntu1)
quantal_erlang: not-affected (1:15.b.1-dfsg-3ubuntu2)
raring_erlang: not-affected (1:15.b.1-dfsg-3ubuntu2)
devel_erlang: not-affected (1:15.b.1-dfsg-3ubuntu2)