stable

aws-2020-12.1.fc39

FEDORA-2024-d940f25a53 created by rombobeorn 2 weeks ago for Fedora 39

CVE-2024-41708: Ada Web Server did not use a cryptographically secure pseudorandom number generator.

AWS.Utils.Random and AWS.Utils.Random_String used Ada.Numerics.Discrete_Random, which is not designed to be cryptographically secure. Random_String also introduced a bias in the generated pseudorandom string values, where the values "1" and "2" had a much higher frequency than any other character.

The internal state of the Mersenne Twister PRNG could be revealed, and lead to a session hijacking attack.

This update fixes the problem by using /dev/urandom instead of Discrete_Random.

More details: https://docs.adacore.com/corp/security-advisories/SEC.AWS-0040-v2.pdf

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2024-d940f25a53

This update has been submitted for testing by rombobeorn.

2 weeks ago

This update's test gating status has been changed to 'ignored'.

2 weeks ago

This update has been pushed to testing.

2 weeks ago

This update has been submitted for stable by bodhi.

a week ago

This update has been pushed to stable.

a week ago

Please login to add feedback.

Metadata
Type
security
Severity
high
Karma
0
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
1
Stable by Time
7 days
Dates
submitted
2 weeks ago
in testing
2 weeks ago
in stable
a week ago
approved
a week ago
BZ#2314766 CVE-2024-41708 aws: Random Number Generator of Ada is not cryptographically secure [fedora-all]
0
0

Automated Test Results