Amiga.org

The "Not Quite Amiga but still computer related category" => Alternative Operating Systems => Topic started by: Piru on May 13, 2008, 06:30:38 PM

Title: Serious security vulnerability on Debian/Ubuntu
Post by: Piru on May 13, 2008, 06:30:38 PM

Quote

Luciano Bello discovered that the random number generator in Debian's openssl package is predictable. This is caused by an incorrect Debian-specific change to the openssl package (CVE-2008-0166). As a result, cryptographic key material may be guessable.

...

Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 certificates and session keys used in SSL/TLS connections.

DSA-1571-1 openssl -- predictable random number generator (http://www.debian.org/security/2008/dsa-1571)
USN-612-2: OpenSSH vulnerability (http://www.ubuntu.com/usn/usn-612-2)

Title: Re: Serious security vulnerability on Debian/Ubuntu
Post by: Piru on May 14, 2008, 10:34:49 PM

More details about the vulnerability:

http://wiki.debian.org/SSLkeys
http://metasploit.com/users/hdm/tools/debian-openssl/

Title: Re: Serious security vulnerability on Debian/Ubuntu
Post by: zyphoid on May 14, 2008, 10:59:56 PM

oh man! that needs a quick fix!

Title: Re: Serious security vulnerability on Debian/Ubuntu
Post by: Piru on May 15, 2008, 12:44:49 AM

There fix is there already. The problem is that not everyone updates their boxes daily.

Title: Re: Serious security vulnerability on Debian/Ubuntu
Post by: lorddef on May 15, 2008, 06:01:57 PM

Patched our servers yesterday morning.

Title: Re: Serious security vulnerability on Debian/Ubuntu
Post by: leirbag28 on May 15, 2008, 07:01:27 PM

@zyphoid

 How about selling me your favorite system? :-)