From 05f2bc30e08213c777ef63a6220fe0002e53b0e0 Mon Sep 17 00:00:00 2001
From: delphij <delphij@FreeBSD.org>
Date: Sat, 19 Oct 2013 08:27:56 +0000
Subject: Document pycrypto PRNG reseed race condition.

---
 security/vuxml/vuln.xml | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

(limited to 'security')

diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index 67e42fbbf88f..5eac599ba274 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -51,6 +51,41 @@ Note:  Please add new entries to the beginning of this file.
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="c0f122e2-3897-11e3-a084-3c970e169bc2">
+    <topic>pycrypto -- PRNG reseed race condition</topic>
+    <affects>
+      <package>
+	<name>py26-pycrypto</name>
+	<name>py27-pycrypto</name>
+	<name>py31-pycrypto</name>
+	<name>py32-pycrypto</name>
+	<name>py33-pycrypto</name>
+	<range><lt>2.6.1</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Dwayne Litzenberger reports:</p>
+	<blockquote cite="http://lists.dlitz.net/pipermail/pycrypto/2013q4/000702.html">
+	  <p>In PyCrypto before v2.6.1, the Crypto.Random pseudo-random
+	    number generator (PRNG) exhibits a race condition that may cause
+	    it to generate the same 'random' output in multiple processes that
+	    are forked from each other.  Depending on the application, this
+	    could reveal sensitive information or cryptographic keys to remote
+	    attackers.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2013-1445</cvename>
+      <url>http://lists.dlitz.net/pipermail/pycrypto/2013q4/000702.html</url>
+    </references>
+    <dates>
+      <discovery>2013-10-17</discovery>
+      <entry>2013-10-19</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="043d3a78-f245-4938-9bc7-3d0d35dd94bf">
     <topic>wordpress -- multiple vulnerabilities</topic>
     <affects>
-- 
cgit