Thanks. I have some servers to update. To many for one guy. :(<br><br><div class="gmail_quote">2008/5/13 Michael H. Warfield <<a href="mailto:mhw@wittsend.com">mhw@wittsend.com</a>>:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hey all,<br>
<br>
Very early this morning, Debian announced a very serious<br>
security advisory in OpenSSL impacting Debian Etch (stable) and Lenny<br>
(unstable) and test. The problem is in the OpenSSL prng (pseudo random<br>
number generator) which was only being seeded by the process pid. This<br>
means that this particular Debian specific version of OpenSSL would only<br>
generate 32,768 unique key pairs implying your true key strength was<br>
only 15 bits for RSA, DSA, etc, etc, etc... The package has to be<br>
updated and all keys, ssh, OpenVPN, DNSSEC, as well as X.509<br>
certificates generated under the affected distributions must be<br>
regenerated from scratch. All DSA keys must be considered compromised.<br>
GPG and GNUTLS keys are NOT affected.<br>
<br>
Debian Etch was released in April of 2007, even though the<br>
vulnerable code was uploaded to test in April of 2006 and subsequently<br>
available in unstable prior to the release of Etch. Distributions such<br>
as Ubuntu and Knoppix released after that time and based on Etch are<br>
probably also affected. Embedded systems based on Etch may be impacted.<br>
Keys generated by these systems may also have made their way into other<br>
systems and embedded devices. Run-live CD's and BBC's (Bootable<br>
Business Card) based on Debian Etch may be impacted.<br>
<br>
Official announcement is here:<br>
<br>
<a href="http://lists.debian.org/debian-security-announce/2008/msg00152.html" target="_blank">http://lists.debian.org/debian-security-announce/2008/msg00152.html</a><br>
<br>
Mike<br>
<font color="#888888">--<br>
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw@WittsEnd.com<br>
/\/\|=mhw=|\/\/ | (678) 463-0932 | <a href="http://www.wittsend.com/mhw/" target="_blank">http://www.wittsend.com/mhw/</a><br>
NIC whois: MHW9 | An optimist believes we live in the best of all<br>
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!<br>
<br>
</font><br>_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
<br></blockquote></div><br>