From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 5EAF893E for ; Tue, 10 Apr 2018 00:42:28 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-wr0-f179.google.com (mail-wr0-f179.google.com [209.85.128.179]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 6153E284 for ; Tue, 10 Apr 2018 00:42:27 +0000 (UTC) Received: by mail-wr0-f179.google.com with SMTP id 80so11248328wrb.2 for ; Mon, 09 Apr 2018 17:42:27 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:date:references:to:in-reply-to:message-id; bh=PuHcLqI1Bv0mnYFciMDqrkrDwqvl+UiZmZHjFD5Y0oU=; b=Sa6AjcegLUBMOGZMf7fhrG6Fm/ySWOUC1ioUa2wExkudTCp6/7g3DLntjEOdHcp6CW YMdwlM1bdqX4QAkVlGayECJo6G+N2B734VB3b/X2FJ7EY9b1O1wrwPoxvtORohPEsWY8 L7EG5liLVoDR/E8lk+5YARSSb8XyN8NuDK+h8HN405BuFpNJ6blGAORzQHxkTbevnVIf 5sz+dG/CGwFOxjvfy4264DeZIUbJpC4gO3wAS31p2MkzJKIrWmlBi21ifICmuPWLyoG4 KdCv8jaYGTkFYAmJYOoYS7x06zSSSeKUN16mVxRmxB8347qVrluKwuYaQCQIjb1hxZZE pMeA== X-Gm-Message-State: ALQs6tBi61SNCUtt0ymWdgVFNacUt3S/2IyUExgAgy8QMfdiTMdBqSPm GtfG+Y8WfNCCEdoWhwZMltkyfxcP X-Google-Smtp-Source: AIpwx48nXNsvvpcRFrZ8w6lEXn17pRs3fVFh92ugSrak4YE1igpjh6DkrEnRa5dCboilzCrp43jTmw== X-Received: by 10.223.169.215 with SMTP id b81mr1041737wrd.48.1523320945720; Mon, 09 Apr 2018 17:42:25 -0700 (PDT) Received: from [192.168.2.215] (cpc97578-walt24-2-0-cust101.13-2.cable.virginm.net. [82.1.27.102]) by smtp.gmail.com with ESMTPSA id 39sm2752418wry.89.2018.04.09.17.42.24 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 09 Apr 2018 17:42:25 -0700 (PDT) From: Jason Davies Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\)) Date: Tue, 10 Apr 2018 01:42:32 +0100 References: <84976adb75bef1dfdb12b98c19811278@national.shitposting.agency> <921edfdb-e0e5-8ce4-55d8-ba4e84ef633f@musalbas.com> To: bitcoin-dev@lists.linuxfoundation.org In-Reply-To: <921edfdb-e0e5-8ce4-55d8-ba4e84ef633f@musalbas.com> Message-Id: X-Mailer: Apple Mail (2.3445.6.18) X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Tue, 10 Apr 2018 00:58:37 +0000 Subject: Re: [bitcoin-dev] KETAMINE: Multiple vulnerabilities in SecureRandom(), numerous cryptocurrency products affected. X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Apr 2018 00:42:28 -0000 These issues all stem from the RC4-based RNG implementation (with = insecure fallback entropy) in Tom Wu's jsbn library, published here: http://www-cs-students.stanford.edu/~tjw/jsbn/ Please refer to Tom Wu's URL, or this more up-to-date fork of Tom Wu's = code (published to NPM): https://github.com/andyperlitch/jsbn -- my = repository on GitHub was only ever intended to be a straight mirror of Tom Wu's code = (created over 7 years ago!). I'll probably delete my mirror repository given = that there are now better JavaScript bignum alternatives, and in light of this = report. Jason > On 9 Apr 2018, at 22:11, mus@musalbas.com wrote: >=20 > Here's the code in question: = https://github.com/jasondavies/jsbn/pull/7 >=20 > Best, >=20 > Mustafa -- Jason Davies, http://www.jasondavies.com/