The Debian Security Advisory posted up DSA-1571-1 openssl -- predictable random number generator issue today and strongly advised its users to take steps to avoid possible compromising of any systems running on Debian, such as Ubuntu.
The researcher Luciano Bello discovered a security flaw in Debian's random number generator that allows to predict a random generated number. This is caused by an incorrect Debian change to the openssl package. As a result, cryptographic key material may be guessable.
This problem not only affects Debian, but also all its derivatives, such as Ubuntu.
It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on affected systems is recreated from scratch. Furthermore, all DSA keys ever used on affected systems for signing or authentication purposes should be considered compromised.
News Source: Debian Security Advisory DSA-1571-1
The researcher Luciano Bello discovered a security flaw in Debian's random number generator that allows to predict a random generated number. This is caused by an incorrect Debian change to the openssl package. As a result, cryptographic key material may be guessable.
This problem not only affects Debian, but also all its derivatives, such as Ubuntu.
It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on affected systems is recreated from scratch. Furthermore, all DSA keys ever used on affected systems for signing or authentication purposes should be considered compromised.
News Source: Debian Security Advisory DSA-1571-1
Last edited by warwagon on 13 May 2008 - 22:21
or do we simply wait for a fix.
crap this sucks
don't forget that this only afects debian unstable distribution since 2006-09-17 and etch 4.0
(ubuntu/xubuntu/kubuntu 7.04 - 8.04)
if you haven't generated any ssh keys or X.509 certificates in those systems, then there in nothing to worry about. This is just an issue in keys/certificates generation.
I don't have any SSL keys at all, but for those who do, this is a pretty important thing to get fixed!
I love how anal/paranoid these guys are...
I love how anal/paranoid these guys are...
Uh, it narrowed the keyspace to about 262000 unique keys. The vulnerable key checker program contains them all, it's about 8 MB.
It's a lot more serious than it sounds at first glance. The security of the entire system (or any encrypted traffic to it, if it was used in SSH or SSL) is pretty much compromised, and has been for the last two years.
Everyday can be patch day in Linux world (and that's a good thing!
OMG!! Windows FTW! LINUX FTL!!!
oh i crack my self up
Can't have Linux security flaws ? or do we mean publicly disclosed flaws ?
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.