[ale] Debian Security Advisory... More impacted apps.

Michael H. Warfield mhw at WittsEnd.com
Fri May 16 11:22:27 EDT 2008 

Update:

	After reviewing the Debian Key Rollover,
http://www.debian.org/security/key-rollover/, and examining some of the
other packages in Debian Etch, it appears that several more applications
use OpenSSL generated X.509 certs and are similarly impacted.  The Key
Rollover page mentions OpenSWAN and StrongSWAN IPSec.  They did not
list, but should have, Racoon and ISAKMPD, both of which can also use
X.509 certs for IPSec.

	Mike

On Tue, 2008-05-13 at 10:07 -0400, Michael H. Warfield wrote:
> Hey all,
> 
>         Very early this morning, Debian announced a very serious
> security advisory in OpenSSL impacting Debian Etch (stable) and Lenny
> (unstable) and test.  The problem is in the OpenSSL prng (pseudo random
> number generator) which was only being seeded by the process pid.  This
> means that this particular Debian specific version of OpenSSL would only
> generate 32,768 unique key pairs implying your true key strength was
> only 15 bits for RSA, DSA, etc, etc, etc...  The package has to be
> updated and all keys, ssh, OpenVPN, DNSSEC, as well as X.509
> certificates generated under the affected distributions must be
> regenerated from scratch.  All DSA keys must be considered compromised.
> GPG and GNUTLS keys are NOT affected.
> 
>         Debian Etch was released in April of 2007, even though the
> vulnerable code was uploaded to test in April of 2006 and subsequently
> available in unstable prior to the release of Etch.  Distributions such
> as Ubuntu and Knoppix released after that time and based on Etch are
> probably also affected.  Embedded systems based on Etch may be impacted.
> Keys generated by these systems may also have made their way into other
> systems and embedded devices.  Run-live CD's and BBC's (Bootable
> Business Card) based on Debian Etch may be impacted.
> 
>         Official announcement is here:
> 
> http://lists.debian.org/debian-security-announce/2008/msg00152.html
> 
>         Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20080516/e0eef539/attachment.bin

More information about the Ale mailing list