Attn: Debian/ubuntu Openssl Update


Recommended Posts

Oops:

Luciano Bello discovered that the random number generator in Debian's

openssl package is predictable. This is caused by an incorrect

Debian-specific change to the openssl package (CVE-2008-0166). As a

result, cryptographic key material may be guessable.

[...]

It is strongly recommended that all cryptographic key material which has

been generated by OpenSSL versions starting with 0.9.8c-1 on Debian

systems is recreated from scratch. Furthermore, all DSA keys ever used

on affected Debian systems for signing or authentication purposes should

be considered compromised; the Digital Signature Algorithm relies on a

secret random value used during signature generation.

The first vulnerable version, 0.9.8c-1, was uploaded to the unstable

distribution on 2006-09-17, and has since propagated to the testing and

current stable (etch) distributions. The old stable distribution

(sarge) is not affected.

Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key

material for use in X.509 certificates and session keys used in SSL/TLS

connections. Keys generated with GnuPG or GNUTLS are not affected,

though.

A detector for known weak key material will be published at:

<http://security.debian.org/project/extra/dowkd/dowkd.pl.gz>

<http://security.debian.org/project/extra/d...dowkd.pl.gz.asc>

(OpenPGP signature)

Emphasis added. Debian and Ubuntu have pushed updated packages.

OpenSSH host keys can be regenerated like so

 # ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa
# ssh-keygen -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa

I guess; I gather the Ubuntu package takes care of this. Remember to kill any compromised keys in your ~/.ssh/. No idea what, if anything, needs to be done for the other affected packages.

Edited by jcl
Link to post
Share on other sites
  • 2 weeks later...
http://xkcd.com/424/

sometimes the XKCD guys hit the nail on the head..

LMAO........classic stuff, iccaros! :thumbsup:

I've blown out one of my Debian boxes since this fiasco and gone back to Slackware (I've got two Slackware 12.1 boxes now). My wife has a Debian box......I'm working on her:-)

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...