You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2013/03/25 23:01:46 UTC
[Bug 54752] New: mod_ssl should not use uninitialized memory as
random seed
https://issues.apache.org/bugzilla/show_bug.cgi?id=54752
Bug ID: 54752
Summary: mod_ssl should not use uninitialized memory as random
seed
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: bugs@httpd.apache.org
Reporter: sf@sfritsch.de
Classification: Unclassified
mod_ssl's 'builtin' random seed uses uninitalized stack memory as random seed.
This is undefined behavior in C and can cause other seemingly unrelated code to
be optimized away. See
http://kqueue.org/blog/2012/06/25/more-randomness-or-less/ for an example.
Also the docs are wrong in that it claims that the scoreboard memory is used as
seed, which is not the case.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 54752] mod_ssl should not use uninitialized memory as random
seed
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54752
--- Comment #1 from Takashi Sato <ta...@lans-tv.com> ---
+1
I think today httpd should use apr random functions and should not have own
random functionality.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org