[SATLUG] Debian Vulnerability (incl. Ubuntu)

luis luis at luisgarza.com
Wed May 14 23:42:47 CDT 2008

Hash: SHA1

I've been monitoring it on the alg news group.  It appears to have been
a problem for awhile.  But it does appear to be a significant problem
with ssl certificates and ssh keys.  The problem is that even corrected,
certificates and keys made with small random function will still exit on
yours and other systems that you have shared you keys with.  So if you
are running a redhat and debian servers with knowhosts and share keys,
you will still need to regenerate new keys and redistribute them to the
 redhat box.  So this bug just does not effect the debian/ubuntu box, it
also effects any other box that you have share your ssh public keys.  So
now heres the fun part.  If I am running a solaris or redhat box, I
don't know if your system was a debian/ubuntu box or another solaris
box.  I will have to get rid of my knownhosts files in the /etc/ssh
directory but also the ones in the users $HOME/.ssh directories.  Worst
yet I also need to get rid of the authorized_keys files from the usres
$HOME/.ssh diretories.  All because I don't know if they cam from a
redhat or solaris or a debian/ubuntu box.

No wonder there is a reported increase in ssh attacks.


- From the movie airplane:  "I pick the wrong time to quit smoking ....."


Tweeks wrote:
> Is that was that was?  Already patched and updated and I didn't even know it 
> was a problem. :)
> Gotta Love Linux...
> Tweeks
> On Tuesday 13 May 2008 12:07:59 pm Ernest De Leon wrote:
>> http://www.smbtechadvice.com/2008/05/debian-security-advisory-openssl.html
>> Check it out...
>> --
>> Ernest de Leon
>> http://www.smbtechadvice.com
>> "They who can give up essential liberty to obtain a little temporary safety
>> deserve neither liberty nor safety." - A common 18th Century sentiment
>> voiced by Benjamin Franklin
>> "A patriot must always be ready to defend his country against his
>> government." - Edward Abbey
>> "All that is necessary for evil to triumph is for good men to do nothing."
>> - Edmund Burke, English statesman and political philosopher (1729-1797)

Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the SATLUG mailing list