FreeBSD-Current Random Number Generator Broken

First time accepted submitter bobo the hobo writesThe FreeBSD random number has been discovered to be generating possibly predictable SSH keys and SSL certificates for months. Time to regenerate your keys and certs if using FreeBSD-Current. A message to the freebsd-current mailing list reads in part: "If you are running a current kernel r273872 or later, please upgrade your kernel to r278907 or later immediately and regenerate keys. I discovered an issue where the new framework code was not calling randomdev_init_reader, which means that read_random(9) was not returning good random data. read_random(9) is used by arc4random(9) which is the primary method that arc4random(3) is seeded from."

Re:But FreeBSD is perfect!

I've heard the same things said. However, and I don't say this in jest, that while no security in any OS is perfect, OpenBSD comes the closest due to their audits. Hence, out of the BSDs I do use and endorse, it's OpenBSD.

Some dislike Theo, but he's intensely good at running a tight ship, and since 1999 when I first started using OpenBSD for security-based boxes, I've never had an issue.

Re:Cui bono?

[MrBingoBoingo]

This. So much this. When these regressions happen there are people behind them. The great value of a Linus or a Theo is shaming this people out the door. At least this was caught in -Current and not -Stable. This incident appears to be at least as much a social engineering attack as a code quality issue.