Debian and Ubuntu (and derivitives) have serious OpenSSL flaw

[sciencewhiz]

Luciano Bello discovered that the random number generator in Debian's
openssl package is predictable. This is caused by an incorrect
Debian-specific change to the openssl package (CVE-2008-0166). As a
result, cryptographic key material may be guessable.

Here's a link to the Debian announcement: http://lists.debian.org/debian...nce/2008/msg00152.html and the Ubuntu announcement: http://www.ubuntu.com/usn/usn-612-2

From the Ubuntu advisory:

All OpenSSH and X.509 keys generated on such systems must be considered untrustworthy, regardless of the system on which they are used, even after the update has been applied.

From the Debian advisory:

A detector for known weak key material will be published at:

http://security.debian.org/pro...xtra/dowkd/dowkd.pl.gz
http://security.debian.org/pro.../dowkd/dowkd.pl.gz.asc
(OpenPGP signature)

Instructions how to implement key rollover for various packages will be
published at:

http://www.debian.org/security/key-rollover/

The last link still doesn't have any usefull information, so look at this article: http://wiki.debian.org/SSLkeys

 

[stash]

Wow! :Q

 

[sourceninja]

yea, this has some potential to be a HUGE pain in my ass.

Actually a co-worker pointed out that we only have 2 servers that are affected. All of our other public facing servers are still 6.06 which is not listed in the OS affected by ubuntu.

 

[Schadenfroh]

I have gotten two updates over the past day for the OpenSSL, is it finally fixed now?

 

[Brazen]

Originally posted by: Schadenfroh
I have gotten two updates over the past day for the OpenSSL, is it finally fixed now?

Whether it is fixed or not in your current distro is irrelevant. It depends on the machine that you used to create the ssl keys. If you created them on one of the affected distros, then your keys are "tainted" whether you actually use the keys on an unaffected distro or not. Likewise, if you created good keys on an unaffected distro, even if you use the keys on a distro with the bug, the keys are still good.

If you created the keys on a distro that has the bug, then you need to recreate your keys whether you get the patch or not.

 

[sourceninja]

I hope so, I just got done revoking and regenerating all the keys made on the effected machines.

 

[sciencewhiz]

Originally posted by: sourceninja
Actually a co-worker pointed out that we only have 2 servers that are affected. All of our other public facing servers are still 6.06 which is not listed in the OS affected by ubuntu.

Same here, all my keys were generated on Sarge and are not affected.

 

[sciencewhiz]

Originally posted by: Schadenfroh
I have gotten two updates over the past day for the OpenSSL, is it finally fixed now?

Ubuntu updated first to fix the problem for any new keys generated, then updated the package again to give you some tools to detect the bad keys. Like Brazen said, if you have bad keys, even with the updated package, you are in trouble.

The following document has a lot of good info: http://wiki.debian.org/SSLkeys

 

[programmer]

Phew! I've got Ubuntu 6.06 on a server too. Glad I am not affected.

 

[chenry3]

If you update either ubuntu or debian and install the new openssh packages - it will install a program called ssh-vulnkey which will not only scan your ssh daemon keys, but also any of your users stored authorized_keys for use of any keys created with the vulnerable version of openssl

 

[Markbnj]

It'll also regenerate your host key if it is vulnerable, as mine was apparently. This broke NX Server on my debian system because they store the host key in a separate file, but that was easy to fix. Other than that no issues.

 

[GundamSonicZeroX]

A funny comic poking fun at the "fiasco."

 

[heymrdj]

It's been a little hell in the ISPConfig development for us, the SSL keys are generated on the most popular distro for it, Debian Etch. But then again many many distros are also covered. The SSL patch changed mine as well for the main ISPConfig authentication, again though, easy fix.