[SATLUG] Debian Vulnerability (incl. Ubuntu)

Samuel Leon satlug at net153.net
Thu May 15 13:25:25 CDT 2008


luis wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I've been monitoring it on the alg news group.  It appears to have been
> a problem for awhile.  But it does appear to be a significant problem
> with ssl certificates and ssh keys.  The problem is that even corrected,
> certificates and keys made with small random function will still exit on
> yours and other systems that you have shared you keys with.  So if you
> are running a redhat and debian servers with knowhosts and share keys,
> you will still need to regenerate new keys and redistribute them to the
>  redhat box.  So this bug just does not effect the debian/ubuntu box, it
> also effects any other box that you have share your ssh public keys.  So
> now heres the fun part.  If I am running a solaris or redhat box, I
> don't know if your system was a debian/ubuntu box or another solaris
> box.  I will have to get rid of my knownhosts files in the /etc/ssh
> directory but also the ones in the users $HOME/.ssh directories.  Worst
> yet I also need to get rid of the authorized_keys files from the usres
> $HOME/.ssh diretories.  All because I don't know if they cam from a
> redhat or solaris or a debian/ubuntu box.
> 
> No wonder there is a reported increase in ssh attacks.
> 
> Great!
> 
> - From the movie airplane:  "I pick the wrong time to quit smoking ....."
> 
> Luis
> 
> 
> Tweeks wrote:
>> Is that was that was?  Already patched and updated and I didn't even know it 
>> was a problem. :)
>>
>> Gotta Love Linux...
>>
>> Tweeks
>>
>> On Tuesday 13 May 2008 12:07:59 pm Ernest De Leon wrote:
>>> http://www.smbtechadvice.com/2008/05/debian-security-advisory-openssl.html
>>>
>>> Check it out...
>>>
>>> --
>>> Ernest de Leon
>>> http://www.smbtechadvice.com
>>>
>>> "They who can give up essential liberty to obtain a little temporary safety
>>> deserve neither liberty nor safety." - A common 18th Century sentiment
>>> voiced by Benjamin Franklin
>>>
>>> "A patriot must always be ready to defend his country against his
>>> government." - Edward Abbey
>>>
>>> "All that is necessary for evil to triumph is for good men to do nothing."
>>> - Edmund Burke, English statesman and political philosopher (1729-1797)
>>
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFIK79GT6o+geKsYgERAmZFAJ92V4gRFpKP7Y8Y4CWlJ5fUcU4nggCdFZs6
> CrX1rMU4rSovktvxOPRp/0Q=
> =qYlr
> -----END PGP SIGNATURE-----

Yea it is really a mess.  I spent 3 hours this morning getting all the 
keys right on just 8 boxes.

Sam



More information about the SATLUG mailing list