sfmt-erlang security notice 8-JAN-2020: regarding the Ambionics Security's PHP mt_seed() vulnerability
Wed Jan 8 05:03:53 CET 2020
The following is the security notice of sfmt-erlang, a random number module
for Erlang based on SFMT, regarding the recently revealed attack against
PHP mt_seed() vulnerability.
I've already updated hex.pm/sfmt with a new package including the following
-- Kenji Rikitake
## Security notice regarding the PHP mt_seed() vulnerability
Ambionics Security published [an internal state retrieval algorithm of PHP
6-JAN-2020. sfmt-erlang uses the same seed-to-internal-state initialization
algorithm at the function `init_gen_rand/1`.
For reducting the possibility of the internal state revelation, use
`init_by_list32/1` instead, better combined with `rand:uniform/1`. [Raimo
Niskanen published a piece of code for this purpose](
*Note well that sfmt-erlang has no cryptographic security guarantee and
MUST NOT be used for security purposes such as password generation.*
Also: Version 0.13.0 and 0.13.1 Erlang and C code files are identical.
Users have no need to upgrade.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the erlang-questions