[ale] Debian Security Advisory...

Tue May 13 10:07:18 EDT 2008

Hey all,

        Very early this morning, Debian announced a very serious
security advisory in OpenSSL impacting Debian Etch (stable) and Lenny
(unstable) and test.  The problem is in the OpenSSL prng (pseudo random
number generator) which was only being seeded by the process pid.  This
means that this particular Debian specific version of OpenSSL would only
generate 32,768 unique key pairs implying your true key strength was
only 15 bits for RSA, DSA, etc, etc, etc...  The package has to be
updated and all keys, ssh, OpenVPN, DNSSEC, as well as X.509
certificates generated under the affected distributions must be
regenerated from scratch.  All DSA keys must be considered compromised.
GPG and GNUTLS keys are NOT affected.

        Debian Etch was released in April of 2007, even though the
vulnerable code was uploaded to test in April of 2006 and subsequently
available in unstable prior to the release of Etch.  Distributions such
as Ubuntu and Knoppix released after that time and based on Etch are
probably also affected.  Embedded systems based on Etch may be impacted.
Keys generated by these systems may also have made their way into other
systems and embedded devices.  Run-live CD's and BBC's (Bootable
Business Card) based on Debian Etch may be impacted.

        Official announcement is here:

http://lists.debian.org/debian-security-announce/2008/msg00152.html

        Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20080513/05a03948/attachment.bin 