Update1: A few hours after this article was published, OpenBSD founder Theo de Raadt emailed Ars and wrote: "It is way overblown. This will never happen in real code." The vulnerability, cataloged as CVE-2014-2970, already has been patched, with modified code located at lib/libc/crypt : arc4random.c.
Update2 on August 1, 2014:Contrary to information de Raadt provided Ars, no CVE was assigned to the bug.
The first "preview" release of OpenSSL alternative LibreSSL is out, and already a researcher says he has found a "catastrophic failure" in the version for Linux.
Read 9 remaining paragraphs | Comments