Hi Anton, all Well even if there are some systems affected I must say that if someone have removed urandom the behavior described is expected. I mean /dev/urandom is there for a reason. And yes there are better functions than rand() but I can hardly see this as a vulnerability. Or well it is, but it is the kind of vulnerability when you remove the device that provide randomness in the system.
I would have marked them as "minor issue". Cheers // Ola On Fri, 23 Jun 2023 at 06:49, Anton Gladky <gl...@debian.org> wrote: > > Hi, > > two CVEs might be irrelevant for Debian systems. Can they be > tagged as "unaffected"? Or we have some systems, where > /dev/urandom is not existing? > > Thanks > > Anton > -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
