CVE-2024-41708: Ada Web Server did not use a cryptographically secure pseudorandom number generator.
AWS.Utils.Random and AWS.Utils.Random_String used Ada.Numerics.Discrete_Random, which is not designed to be cryptographically secure. Random_String also introduced a bias in the generated pseudorandom string values, where the values "1" and "2" had a much higher frequency than any other character.
The internal state of the Mersenne Twister PRNG could be revealed, and lead to a session hijacking attack.
This update fixes the problem by using /dev/urandom instead of Discrete_Random.
More details: https://docs.adacore.com/corp/security-advisories/SEC.AWS-0040-v2.pdf
Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:
sudo dnf upgrade --refresh --advisory=FEDORA-2024-d940f25a53
Please login to add feedback.
This update has been submitted for testing by rombobeorn.
This update's test gating status has been changed to 'ignored'.
This update has been pushed to testing.
This update has been submitted for stable by bodhi.
This update has been pushed to stable.