You are not logged in.
- Topics: Active | Unanswered
#1 2008-05-15 07:30:41
- lloeki
- Member
- From: France
- Registered: 2007-02-20
- Posts: 456
- Website
Debian SSL security issue and implications for other distros
Background:
the issue
immediate consequences for debian itself
What is of interest to us Archers:
potential collateral damage in other distros
So to sum up:
- if any of you generated some crypto key/certificate/whatever using openssl (or apps based on it) under debian (or a derivative), be sure to check your keys.
- the weak keys will certainly now be used regularly to brute force by Bad Guys(tm), so even if one has not generated keys under debian, one might want to check if current keys happen by sheer bad luck to be one of them (low probability but who knows)
- openssh package (server) should be instructed to reject such keys
Last edited by lloeki (2008-05-15 07:32:50)
To know recursion, you must first know recursion.
Offline
#2 2008-05-15 08:01:05
- chicha
- Member
- From: France
- Registered: 2007-04-20
- Posts: 271
Re: Debian SSL security issue and implications for other distros
Thank you lloeki.
Except the fact that an Arch server may host some ssh keys generated on Debian/Ubuntu systems, does any one know if Arch's openssl package is also vunerable ?
Offline
#3 2008-05-15 08:04:59
- Allan
- Pacman
- From: Brisbane, AU
- Registered: 2007-06-09
- Posts: 11,395
- Website
Re: Debian SSL security issue and implications for other distros
Except the fact that an Arch server may host some ssh keys generated on Debian/Ubuntu systems, does any one know if Arch's openssl package is also vunerable ?
No, the patch was not applied in the Arch package.
Offline
#4 2008-05-15 08:29:12
- chicha
- Member
- From: France
- Registered: 2007-04-20
- Posts: 271
Re: Debian SSL security issue and implications for other distros
No, the patch was not applied in the Arch package.
Thanks Allan for the info.
I guess this is another point in favor of having vanilla packages 
Offline
#5 2008-05-15 08:59:27
- iphitus
- Forum Fellow
- From: Melbourne, Australia
- Registered: 2004-10-09
- Posts: 4,927
Re: Debian SSL security issue and implications for other distros
This topic is worth bumping, it's not a small one.
I've had my SSH key since the days I used debian. I've replaced it now, so don't bother trying my accounts 
Last edited by iphitus (2008-05-15 09:11:14)
Offline
#6 2008-05-15 09:10:34
- lloeki
- Member
- From: France
- Registered: 2007-02-20
- Posts: 456
- Website
Re: Debian SSL security issue and implications for other distros
I guess this is another point in favor of having vanilla packages
well, yes and no.
things are not as simple as it seems, for the curious ones:
http://blog.drinsama.de/erich/en/linux/ … aster.html
http://www.aigarius.com/blog/2008/05/14 … different/
http://changelog.complete.org/posts/714 … L-bug.html
To know recursion, you must first know recursion.
Offline
#7 2008-05-15 09:48:45
- lloeki
- Member
- From: France
- Registered: 2007-02-20
- Posts: 456
- Website
Re: Debian SSL security issue and implications for other distros
I've had my SSH key since the days I used debian
almost the same for me.
- I use debian lenny armel on my nslu2, with ssl certs on mail server and so on, so that one's a sure one. regenerated.
- I can't recall when I generated my personal key on my laptop. maybe using debian, maybe ubuntu, maybe gentoo. who knows... so I regenerated everything, just to be sure.
To know recursion, you must first know recursion.
Offline