SSL vulnerability in debian and ubuntu.

Nathan Blackham kemotaha at gmail.com
Tue May 13 16:10:43 MDT 2008


On Tue, 2008-05-13 at 10:14 -0600, Jordan Curzon wrote:
> This came across my radar this morning:
> 
> ".....It is strongly recommended that all cryptographic key material which has
> been generated by OpenSSL versions starting with 0.9.8c-1 on Debian
> systems is recreated from scratch.  Furthermore, all DSA keys ever used
> on affected Debian systems for signing or authentication purposes should
> be considered compromised; the Digital Signature Algorithm relies on a
> secret random value used during signature generation.
> 
> The first vulnerable version, 0.9.8c-1, was uploaded to the unstable
> distribution on 2006-09-17, and has since propagated to the testing and
> current stable (etch) distributions.  The old stable distribution
> (sarge) is not affected....."
> 
> http://lists.debian.org/debian-security-announce/2008/msg00152.html

It looks like there is a script that you can download off that
announcement to see if you have weak keys.  I did a quick search on my
users and hosts and it seems like I did have a few weak keys.

Nathan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://plug.org/pipermail/plug/attachments/20080513/c566e740/attachment.bin 


More information about the PLUG mailing list