Added by rbarlow over 5 years ago
CVE-2016-3704: Use stronger seed and DB password. (#2555)
Pulp's pulp-qpid-ssl-cfg script used bash's $RANDOM in unsafe ways:
The default NSS DB password was a single value from $RANDOM, limiting it to the strings from 0 to 32768.
The certutil -z flag receives a "noise file". The script used $RANDOM to populate a file with numbers to generate this file. Since $RANDOM was used in this way, the seed file had low diversity since only 11 possible bytes appeared in the file (ASCII 0-9 and newline).
This commit alters the script to use /dev/urandom as the source for generating the DB password and the seed.