WARN: OpenSSL (Debian and Debian-based distros)
From the Debian Security Advisory (DSA-1571-1):
Quote:
|
http://www.regdeveloper.co.uk/2008/0...n_openssl_bug/ - looks as though they've fixed their mistake.
|
https://lists.ubuntu.com/archives/ub...ay/000705.html
http://lists.debian.org/debian-secur.../msg00152.html I went ahead & dist-upgraded and during the upgrade SSH keys were regenerated, nice. Does this mean everything I generated an SSL certificate for should also be recreated??? |
I got a email from Mdv which in parts says
While this patch was never applied to the Mandriva OpenSSL package, it is possible that these weak keys or certificates exist on Mandriva systems. In particular, this could affect systems that provide SSH or VPN services to many users, some of which may be Debian or Ubuntu users, resulting in the possibility that these weak keys or certificates exist. No update exists at mdv last time I checked today. ------- I suggest this email could apply to other distro users as well. EDIT http://archives.mandrivalinux.com/se...5/msg00015.php |
Some useful articles specifically related to this issue.
HOW-TO Regenerate your Keys on Debian Quote:
Implementing Key Rollover in Debian |
One of the most interesting pages I've seen so far regarding this issue is H D Moore's.
|
I'm proceeding to unsticky this thread. Considering the unbelievable amount of coverage this issue received in the blogosphere and Debian mailing lists during the first week, any Debian system administrator who hasn't heard of this by now is probably living under a rock. Feel free to post any questions/comments related to this historically significant vulnerability, though.
|
All times are GMT -5. The time now is 11:10 PM. |