On 01/03/2014 03:28 AM, Jitse Klomp wrote: > 2014/1/3 David Benfell <benfell at parts-unknown.org> > >> I was unable to find an associated vulnerability in Linux. I trust the >> OpenSSL folks would be on top of this faster than you can blink an eye >> if it were a current issue. They have not, from what I've seen, >> reacted to the revelations. >> > > Interesting read on the openssl-announce list: > http://www.mail-archive.com/openssl-announce@openssl.org/msg00127.html > Turns out the openssl implementation of Dual_EC_DRBG was broken anyway... i was just blew away by this: "What almost all commentators have missed is that hidden away in the small print (and subsequently confirmed by our specific query) is that if you want to be FIPS 140-2 compliant you MUST use the compromised points." i even don't have words to comment on this!!! Adrian