Document Erlang R14B02 ssh library vulnerability (cryptographically

weak RNG).

Security:	CVE-2011-0766

1 files changed, 32 insertions, 0 deletions

diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index 3f7dee426fb2..77480e1ea985 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -34,6 +34,38 @@ Note:  Please add new entries to the beginning of this file.
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="e4833927-86e5-11e0-a6b4-000a5e1e33c6">
+    <topic>erlang -- ssh library uses a weak random number generator</topic>
+    <affects>
+      <package>
+	<name>erlang</name>
+	<range><lt>r14b03</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>US-CERT reports:</p>
+	<blockquote cite="http://www.kb.cert.org/vuls/id/178990">
+	  <p>The Erlang/OTP ssh library implements a number of
+	  cryptographic operations that depend on cryptographically
+	  strong random numbers. Unfortunately the RNG used by the
+	  library is not cryptographically strong, and is further
+	  weakened by the use of predictable seed material. The RNG
+	  (Wichman-Hill) is not mixed with an entropy source.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2011-0766</cvename>
+      <url>http://www.erlang.org/download/otp_src_R14B03.readme</url>
+      <url>https://github.com/erlang/otp/commit/f228601de45c5b53241b103af6616453c50885a5</url>
+    </references>
+    <dates>
+      <discovery>2011-05-25</discovery>
+      <entry>2011-05-25</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="dc96ac1f-86b1-11e0-9e85-00215af774f0">
     <topic>unbound -- An empty error packet handling assertion failure</topic>
     <affects>