Joined: Feb. 2007
||Posted: May 16 2008,21:12
Sort of off-topic but I mentioned the need for updating zlib+ssl+ssh in this thread and want to update something related to that.
Debian has issued an advisory about a vulnerability in their implementation of SSL. This affects Debian and all of its derivatives using their SSL package including Ubuntu. The package starts with OpenSSL version 0.9.8c-1, which was uploaded to the unstable (Etch) distribution on 2006-09-17, and subsequent versions through 16 May 2007. This doesn't affect DSL directly (see below) because DSL uses a Woody-era OpenSSL package.
Lines of code were removed that affect random number generation. Accordingly, the keys generated are guessable and susceptible to cracking, interception, etc. Debian is advising updating OpenSSL and regenerating "SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 certificates and session keys used in SSL/TLS connections."
This will also indirectly affect others whether they use Debian, its derivatives, any other distro, or any other operating system because many secure sites need new certificates. You may be warned that some sites you visit have new/altered certificates in the coming days (I've been flagged for a couple already, finding out that one site I use runs its servers on Ubuntu).
I have more on this on by blog.
"It felt kind of like having a pitbull terrier on my rear end."
-- meo (copyright(c)2008, all rights reserved)