Icon Rufen Sie uns an
+49 441.309197-69 +49 441.309197-69

Debian openssl vulnerability

Posted by Bernd Ahlers on Wednesday, May 14, 2008

Yesterday the Debian Security Team annouced a serious security issue in Debian's openssl package. You probably know it already because it's been around on all news sites. We just want to remind people on how *important* this is and how it can affect your systems. The Debian annoucment[1] reads: bq. It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems is recreated from scratch. Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised; the Digital Signature Algorithm relies on a secret random value used during signature generation. bq. The first vulnerable version, 0.9.8c-1, was uploaded to the unstable distribution on 2006-09-17, and has since propagated to the testing and current stable (etch) distributions. bq. Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 certificates and session keys used in SSL/TLS connections. This actually means that *all* SSH, OpenVPN, DNSSEC, SSL/TLS session and X.509 key material which has been generated on a Debian machine after Sep 17 2006 is probably vulnerable. This is quite bad and will create a lot of work for Debian sysadmins. So if you're using Debian on any of your systems we recommend reading of the actual "security annoucement":sa-openssl and follow-ups. fn1. http://lists.debian.org/debian-security-announce/2008/msg00152.html [sa-openssl]http://lists.debian.org/debian-security-announce/2008/msg00152.html