jcl Posted May 14, 2008 Report Share Posted May 14, 2008 (edited) Oops:Luciano Bello discovered that the random number generator in Debian'sopenssl package is predictable. This is caused by an incorrectDebian-specific change to the openssl package (CVE-2008-0166). As aresult, cryptographic key material may be guessable.[...]It is strongly recommended that all cryptographic key material which hasbeen generated by OpenSSL versions starting with 0.9.8c-1 on Debiansystems is recreated from scratch. Furthermore, all DSA keys ever usedon affected Debian systems for signing or authentication purposes shouldbe considered compromised; the Digital Signature Algorithm relies on asecret random value used during signature generation.The first vulnerable version, 0.9.8c-1, was uploaded to the unstabledistribution on 2006-09-17, and has since propagated to the testing andcurrent stable (etch) distributions. The old stable distribution(sarge) is not affected.Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and keymaterial for use in X.509 certificates and session keys used in SSL/TLSconnections. Keys generated with GnuPG or GNUTLS are not affected,though.A detector for known weak key material will be published at: <http://security.debian.org/project/extra/dowkd/dowkd.pl.gz> <http://security.debian.org/project/extra/d...dowkd.pl.gz.asc> (OpenPGP signature)Emphasis added. Debian and Ubuntu have pushed updated packages. OpenSSH host keys can be regenerated like so # ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa# ssh-keygen -f /etc/ssh/ssh_host_dsa_key -N '' -t dsaI guess; I gather the Ubuntu package takes care of this. Remember to kill any compromised keys in your ~/.ssh/. No idea what, if anything, needs to be done for the other affected packages. Edited May 14, 2008 by jcl Quote Link to post Share on other sites
hitest Posted May 14, 2008 Report Share Posted May 14, 2008 Thanks for the heads-up, jcl! Oops, indeed! Quote Link to post Share on other sites
iccaros Posted May 25, 2008 Report Share Posted May 25, 2008 http://xkcd.com/424/sometimes the XKCD guys hit the nail on the head.. Quote Link to post Share on other sites
hitest Posted May 25, 2008 Report Share Posted May 25, 2008 http://xkcd.com/424/sometimes the XKCD guys hit the nail on the head..LMAO........classic stuff, iccaros! I've blown out one of my Debian boxes since this fiasco and gone back to Slackware (I've got two Slackware 12.1 boxes now). My wife has a Debian box......I'm working on her:-) Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.