| [Actux] Fwd: [ILUG] serious openssl/openssh hole found |
[ Thread Index |
Date Index
| More lists.tuxfamily.org/actux Archives
]
- To: actux@xxxxxxxxxxxxxxxxxxx
- Subject: [Actux] Fwd: [ILUG] serious openssl/openssh hole found
- From: Kereoz <kereoz@xxxxxxxxxx>
- Date: Thu, 15 May 2008 11:38:14 +0100
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; bh=uKKB0rd1LNEVzrrdcNcBPS+29NronE39TfMZWH0WOp8=; b=dxl4CFfDKUm+hdvX2MtXPB8On60ktshnMosMS2xYOwpAtye6VAt8hXv7NJpn8TZCD/vuSoKF5e2HoYMVejqw9yncRR90qO/W1mSWg4ZTSvDT91ePfgCg8n/+lZZWHzJj+h0fyRiYtiX8gR8jPwrMx4PkX60Q2Z8eafA7GLmdIDY=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=U21IBLNLawkpwgS1lC49Ew/vQaB+DUcmk8A3AdAbeOAzepkwHhyKiEJJYtxGHGGI+AQdHnmF45Gt4saF9Oka36sQzvkUKjvXs4PgeEIIqqjAF5ACPKJnidVOe55POzs93i545phOgYijQYrHVbHafpS3GdGK4HXG9yScFvHH5po=
Pour les Debianeux et Ubuntu-istes :)
---------- Forwarded message ----------
From: Justin Mason <jm@xxxxxxxxxx>
Date: Tue, May 13, 2008 at 3:38 PM
Subject: [ILUG] serious openssl/openssh hole found
To: ilug@xxxxxxxx
http://lists.debian.org/debian-security-announce/2008/msg00152.html
'Luciano Bello discovered that the random number generator in Debian's
openssl package is predictable. This is caused by an incorrect
Debian-specific change to the openssl package (CVE-2008-0166). As a
result, cryptographic key material may be guessable.
It is strongly recommended that all cryptographic key material which has
been generated by OpenSSL versions starting with 0.9.8c-1 on Debian
systems (ie. since 2006!) is recreated from scratch. Furthermore, all
DSA keys ever used on affected Debian systems for signing or
authentication purposes should be considered compromised; the Digital
Signature Algorithm relies on a secret random value used during
signature generation.'
http://www.ubuntu.com/usn/usn-612-1 :
== Who is affected ==
Systems which are running any of the following releases:
* Ubuntu 7.04 (Feisty)
* Ubuntu 7.10 (Gutsy)
* Ubuntu 8.04 LTS (Hardy)
* Ubuntu "Intrepid Ibex" (development): libssl <= 0.9.8g-8
* Debian 4.0 (etch) (see corresponding Debian security advisory)
and have openssh-server installed or have been used to create an OpenSSH
key or X.509 (SSL) certificate. All OpenSSH and X.509 keys generated on
such systems must be considered untrustworthy, regardless of the system on
which they are used, even after the update has been applied. This includes
the automatically generated host keys used by OpenSSH, which are the basis
for its server spoofing and man-in-the-middle protection.
caused by this incorrect "fix" from the debian maintainers in their own
package: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=363516
One wonders why that fix never made it upstream.
bad news....
--j.
--
Irish Linux Users' Group mailing list
About this list : http://mail.linux.ie/mailman/listinfo/ilug
Who we are : http://www.linux.ie/
Where we are : http://www.linux.ie/map/
--
Christophe HAUSER, http://www.kereoz.org
Association Actux, http://actux.tuxfamily.org