[SATLUG] Debian Vulnerability (incl. Ubuntu)
satlug at net153.net
Thu May 15 13:25:25 CDT 2008
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> I've been monitoring it on the alg news group. It appears to have been
> a problem for awhile. But it does appear to be a significant problem
> with ssl certificates and ssh keys. The problem is that even corrected,
> certificates and keys made with small random function will still exit on
> yours and other systems that you have shared you keys with. So if you
> are running a redhat and debian servers with knowhosts and share keys,
> you will still need to regenerate new keys and redistribute them to the
> redhat box. So this bug just does not effect the debian/ubuntu box, it
> also effects any other box that you have share your ssh public keys. So
> now heres the fun part. If I am running a solaris or redhat box, I
> don't know if your system was a debian/ubuntu box or another solaris
> box. I will have to get rid of my knownhosts files in the /etc/ssh
> directory but also the ones in the users $HOME/.ssh directories. Worst
> yet I also need to get rid of the authorized_keys files from the usres
> $HOME/.ssh diretories. All because I don't know if they cam from a
> redhat or solaris or a debian/ubuntu box.
> No wonder there is a reported increase in ssh attacks.
> - From the movie airplane: "I pick the wrong time to quit smoking ....."
> Tweeks wrote:
>> Is that was that was? Already patched and updated and I didn't even know it
>> was a problem. :)
>> Gotta Love Linux...
>> On Tuesday 13 May 2008 12:07:59 pm Ernest De Leon wrote:
>>> Check it out...
>>> Ernest de Leon
>>> "They who can give up essential liberty to obtain a little temporary safety
>>> deserve neither liberty nor safety." - A common 18th Century sentiment
>>> voiced by Benjamin Franklin
>>> "A patriot must always be ready to defend his country against his
>>> government." - Edward Abbey
>>> "All that is necessary for evil to triumph is for good men to do nothing."
>>> - Edmund Burke, English statesman and political philosopher (1729-1797)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> -----END PGP SIGNATURE-----
Yea it is really a mess. I spent 3 hours this morning getting all the
keys right on just 8 boxes.
More information about the SATLUG