[php-maint] Bug#500087: CVE-2008-4107: The rand and mt_rand functions in PHP produce weak random numbers

Stefan Fritsch sf at sfritsch.de
Wed Sep 24 21:47:31 UTC 2008

Package: php5
Version: 5.2.6-3
Severity: important
Tags: security

>From CVE-2008-4107:
The (1) rand and (2) mt_rand functions in PHP 5.2.6 do not produce
cryptographically strong random numbers, which allows attackers to
leverage exposures in products that rely on these functions for
security-relevant functionality, as demonstrated by the password-reset
functionality in Joomla! 1.5.x and WordPress before 2.6.2, a different
vulnerability than CVE-2008-2107, CVE-2008-2108, and CVE-2008-4102.

The advisory
talks about a new suhosin release that fixes this in php and not in the
applications. Maybe this fix could be backported to lenny once it becomes

More information about the pkg-php-maint mailing list