EGD-0.7 released (important security fix)

Brian Warner warner@lothar.com
3 Apr 2000 07:57:48 -0000


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Howdy all. I've just released version 0.7 ("the Brown Paper Bag" release) of
EGD. The Entropy Gathering Daemon is primarily intended as a source of
randomness for GnuPG, for use on systems which lack a /dev/random device.

version 0.6, which has been available for about 8 months, had a serious and
embarrasing bug in which the gathered random data (the output from 'vmstat'
and other programs) was not properly fed into the entropy pool. The resulting
data stream would have been hard to predict (it was still influenced by the
timing and quantity of program output), but had far far less entropy than it
claimed to provide. Many thanks to Brian Carrier for spotting the problem.

Other changes:

	Fix handling of relative socket names. Thanks to Gerard Kok.

	Added lsof to gatherer list. thanks to Jack Lloyd.

	Added self-tests. 'make test' should be useful now.

	Fix "should we build SHA?" tests, works much better now.

	Send all debug, usage, and diagnostic output to STDERR instead. This
	helps egd run in scripts with GPG better (doesn't interfere with
	pipelines as much).

EGD is available from:

 <ftp://ftp.lothar.com/linux/egd-0.7.tar.gz>
 <ftp://ftp.lothar.com/linux/egd-0.7.tar.gz.asc>  (signature)

For futher notes and updates, see <http://www.lothar.com/tech/crypto/> .
Bug reports and patches are always welcome at warner@lothar.com .

Share and Enjoy, and my humblest apologies for that egregious bug..

 -Brian
   warner@lothar.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.5 and Gnu Privacy Guard <http://www.gnupg.org/>

iD8DBQE46E6gkDmgv9E5zEwRAqcPAKDD0NtuyLmHsHcnLYfFnr4ER+BkXwCg679D
0Wc8fZ3Afhao4AIMqg6mnjM=
=OSPi
-----END PGP SIGNATURE-----