Debian/*ubuntu security bug and a question...
So, someone directed me at this bug report: http://metasploit.com/users/hdm/tools/debian-openssl/ I'm afraid my head spins a bit when I try to make sense of what corrective measures should be taken... has Ubuntu already rolled out a bug fix which will take care of the problem? If not, what needs to be done to fix my machine? Thanks, Brian
On Thu, May 15, 2008 at 10:32:32AM -0400, Brian A. Dewhirst wrote:
I'm afraid my head spins a bit when I try to make sense of what corrective measures should be taken... has Ubuntu already rolled out a bug fix which will take care of the problem? If not, what needs to be done to fix my machine?
In short if you've generated any keys with OpenSSL (ie: certificates, ssh keys, etc,) on Debian or its derivatives at anytime in at least the last 2 years, you will want to regenerate them after you upgrade to the fixed version. Updating will solve the weak key generation issue, but not do anything about the already generated keys in use. -- Randomly Selected Tagline: Leela: "Great. We're two days from earth with no food." Bender: "Problem solved. You two fight to the death and I'll cook the loser."
On Thu, May 15, 2008 at 10:39 AM, Theo Van Dinter <felicity@kluge.net> wrote:
On Thu, May 15, 2008 at 10:32:32AM -0400, Brian A. Dewhirst wrote:
I'm afraid my head spins a bit when I try to make sense of what corrective measures should be taken... has Ubuntu already rolled out a bug fix which will take care of the problem? If not, what needs to be done to fix my machine?
In short if you've generated any keys with OpenSSL (ie: certificates, ssh keys, etc,) on Debian or its derivatives at anytime in at least the last 2 years, you will want to regenerate them after you upgrade to the fixed version.
Updating will solve the weak key generation issue, but not do anything about the already generated keys in use.
Well, pretend you're talking to a linux novice for a minute... does that mean that if I don't think I've done any cryptography that I'm fine, or is OpenSSL used for lots of other programs... for example, does Firefox use it when someone logs into their checking account?
Brian, This particular problem is only related (as far as I can tell) to RSA key generation. If you've not done this, then you should be okay. I would still recommend bringing your OpenSSL lib up-to-date, as it is, indeed, used for secure web browsing as well (although firefox may statically link with it's own version to avoid just such problems ... ) So yeah, in short, if you don't have a key that you use to sign e-mail or for access to another computer, then you're probably fine. This is still probably of interest to the rest of the group, though, since there was recently a key-signing party, and with the proliferation of Ubuntu and Debian, I'm betting that a significant number of those keys will be compromised. Cheers, Lee On Thu, May 15, 2008 at 11:34 AM, Brian A. Dewhirst <b.dewhirst@gmail.com> wrote:
On Thu, May 15, 2008 at 10:39 AM, Theo Van Dinter <felicity@kluge.net> wrote:
On Thu, May 15, 2008 at 10:32:32AM -0400, Brian A. Dewhirst wrote:
I'm afraid my head spins a bit when I try to make sense of what corrective measures should be taken... has Ubuntu already rolled out a bug fix which will take care of the problem? If not, what needs to be done to fix my machine?
In short if you've generated any keys with OpenSSL (ie: certificates, ssh keys, etc,) on Debian or its derivatives at anytime in at least the last 2 years, you will want to regenerate them after you upgrade to the fixed version.
Updating will solve the weak key generation issue, but not do anything about the already generated keys in use.
Well, pretend you're talking to a linux novice for a minute... does that mean that if I don't think I've done any cryptography that I'm fine, or is OpenSSL used for lots of other programs... for example, does Firefox use it when someone logs into their checking account? _______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
-- Lee Keyser-Allen (lkeyser@alum.wpi.edu)
On Thu, May 15, 2008 at 10:39:51AM -0400, Theo Van Dinter wrote:
On Thu, May 15, 2008 at 10:32:32AM -0400, Brian A. Dewhirst wrote:
I'm afraid my head spins a bit when I try to make sense of what corrective measures should be taken... has Ubuntu already rolled out a bug fix which will take care of the problem? If not, what needs to be done to fix my machine?
In short if you've generated any keys with OpenSSL (ie: certificates, ssh keys, etc,) on Debian or its derivatives at anytime in at least the last 2 years, you will want to regenerate them after you upgrade to the fixed version.
Updating will solve the weak key generation issue, but not do anything about the already generated keys in use.
Also, if you've used SSH Password Authentication to log into to any system whose SSH host keys were generated with the vulnerable OpenSSL (likely any Debian, Ubuntu, or derivative systems), then you should change your password. Any data that was transferred over SSH to a system with a vulnerable key could have been compromised.
On Thu, 2008-05-15 at 10:32 -0400, Brian A. Dewhirst wrote:
So, someone directed me at this bug report:
http://metasploit.com/users/hdm/tools/debian-openssl/
I'm afraid my head spins a bit when I try to make sense of what corrective measures should be taken... has Ubuntu already rolled out a bug fix which will take care of the problem? If not, what needs to be done to fix my machine?
Thanks,
Brian
Hi, Yes, a security update was released on 14th. See http://www.ubuntu.com/usn/usn-612-5 baris
participants (5)
-
Barış Hasdemir -
Brian A. Dewhirst -
Chuck Anderson -
Lee Keyser-Allen -
Theo Van Dinter