CVE-2008-4107

Priority
Description
The (1) rand and (2) mt_rand functions in PHP 5.2.6 do not produce
cryptographically strong random numbers, which allows attackers to leverage
exposures in products that rely on these functions for security-relevant
functionality, as demonstrated by the password-reset functionality in
Joomla! 1.5.x and WordPress before 2.6.2, a different vulnerability than
CVE-2008-2107, CVE-2008-2108, and CVE-2008-4102.
Notes
mdeslauras of 2009-04-10, unfixed in debian with following comment:
the rand() and mt_rand() functions were never said to be cryptographically strong
AFAICT, unfixed upstream also
more information here: http://www.suspekt.org/2008/08/17/mt_srand-and-not-so-random-numbers/
Let's ignore this also.
Package
Source: php5 (LP Ubuntu Debian)
Upstream:needs-triage
More Information

Updated: 2019-10-09 08:05:55 UTC (commit 33aea848a182c0afcd0a3f927a01a7ecd9a061ee)