On 01/03/2014 03:28 AM, Jitse Klomp wrote:
2014/1/3 David Benfell benfell@parts-unknown.org
I was unable to find an associated vulnerability in Linux. I trust the OpenSSL folks would be on top of this faster than you can blink an eye if it were a current issue. They have not, from what I've seen, reacted to the revelations.
Interesting read on the openssl-announce list: http://www.mail-archive.com/openssl-announce@openssl.org/msg00127.html Turns out the openssl implementation of Dual_EC_DRBG was broken anyway...
i was just blew away by this: "What almost all commentators have missed is that hidden away in the small print (and subsequently confirmed by our specific query) is that if you want to be FIPS 140-2 compliant you MUST use the compromised points."
i even don't have words to comment on this!!!
Adrian