Insecure Random #3
Comments
|
mark |
|
Since Github has kept giving alert on the insufficient randomness in this project, I suggest that we replace all the usage of |
|
Any release since this change? |
|
Please merge this pull request and push a new release. |
|
Is it possible to publish a new version to mvnrepository? https://mvnrepository.com/artifact/com.github.penggle/kaptcha The version here on githab has the fix for CVE-2018-18531 but the version number in the build files is still 2.3.2, which was published in 2015. Can we build and publish the current source with a patch version (2.3.3?) |
|
It's out of maintenance. Is it possible to change the owner to maintain this project? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
kaptcha/src/main/java/com/google/code/kaptcha/text/impl/DefaultTextCreator.java
Line 21 in f998397
kaptcha/src/main/java/com/google/code/kaptcha/text/impl/ChineseTextProducer.java
Line 22 in f998397
kaptcha/src/main/java/com/google/code/kaptcha/text/impl/FiveLetterFirstNameTextCreator.java
Line 1059 in f998397
I think it should be use a secure random algorithm “SecureRandom” to generate verifycode
An attacker will simply compute the seed from the output values observed. This takes significantly less time than 2^48 in the case of java.util.Random.
It is shown that you can predict future Random outputs observing only two(!) output values in time roughly 2^16.
The text was updated successfully, but these errors were encountered: