LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] serious openssl/openssh hole found

[ILUG] serious openssl/openssh hole found

Luke Ashe-Browne xactly at gmail.com
Wed May 14 11:18:22 IST 2008 

I have an ssl cert on my web server i've been running for over a year
and a half (dapper drake) and this should remain unaffected?
libssl 0.9.8a, I won't have to patch and regenerate?

Justin Mason wrote:
> http://lists.debian.org/debian-security-announce/2008/msg00152.html
>
>   'Luciano Bello discovered that the random number generator in Debian's
>   openssl package is predictable.  This is caused by an incorrect
>   Debian-specific change to the openssl package (CVE-2008-0166).  As a
>   result, cryptographic key material may be guessable.
>
>   It is strongly recommended that all cryptographic key material which has
>   been generated by OpenSSL versions starting with 0.9.8c-1 on Debian
>   systems (ie. since 2006!) is recreated from scratch.  Furthermore, all
>   DSA keys ever used on affected Debian systems for signing or
>   authentication purposes should be considered compromised; the Digital
>   Signature Algorithm relies on a secret random value used during
>   signature generation.'
>
>
> http://www.ubuntu.com/usn/usn-612-1 :
>
>   == Who is affected ==
>
>   Systems which are running any of the following releases:
>   * Ubuntu 7.04 (Feisty)
>   * Ubuntu 7.10 (Gutsy)
>   * Ubuntu 8.04 LTS (Hardy) 
>   * Ubuntu "Intrepid Ibex" (development): libssl <= 0.9.8g-8
>   * Debian 4.0 (etch) (see corresponding Debian security advisory)
>
>   and have openssh-server installed or have been used to create an OpenSSH
>   key or X.509 (SSL) certificate. All OpenSSH and X.509 keys generated on
>   such systems must be considered untrustworthy, regardless of the system on
>   which they are used, even after the update has been applied. This includes
>   the automatically generated host keys used by OpenSSH, which are the basis
>   for its server spoofing and man-in-the-middle protection.
>
>
> caused by this incorrect "fix" from the debian maintainers in their own
> package: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=363516
>
> One wonders why that fix never made it upstream.
>
> bad news....
>
> --j.
>

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell