Debian-based OpenSSL keys -- vulnerable to attack?

I received a message from the Association for Computing and
Machinery saying
that any SSL key generated on a Debian system since May of
2006 could be
vulnerable to attack.  Seems kind of important -- assuming
it is legitimate.


   - http:
//www.technologyreview.com/Infotech/20801/
   - http://blogs.
zdnet.com/security/?p=1102


-- 
Jonathan Lloyd

On Wed, May 21, 2008 at 09:50:31PM -0700, Jonathan Lloyd
wrote:
> I received a message from the Association for Computing
and Machinery saying
> that any SSL key generated on a Debian system since May
of 2006 could be
> vulnerable to attack.  Seems kind of important --
assuming it is legitimate.
> 
> 
>    - http:
//www.technologyreview.com/Infotech/20801/
>    - http://blogs.
zdnet.com/security/?p=1102

It's legitimate:
http://article.gmane.org/gmane.linux.debian.se
curity.announce/1614
http://xkcd.com/424/

Debian screwed up badly.

Toby

On Wed, May 21, 2008 at 09:50:31PM -0700, Jonathan Lloyd
wrote:
>I received a message from the Association for Computing
and Machinery saying
>that any SSL key generated on a Debian system since May
of 2006 could be
>vulnerable to attack.  Seems kind of important --
assuming it is legitimate.

Well, that's more than a week late, and any admin who hasn't
already
taken action really isn't doing his job... but why are you
trusting
third parties when you should be subscribed to Bugtraq
and/or the Debian
security update list?

R

On Wed, May 21, 2008 at 09:50:31PM -0700, Jonathan Lloyd
wrote:
> I received a message from the Association for Computing
and Machinery saying
> that any SSL key generated on a Debian system since May
of 2006 could be
> vulnerable to attack.  Seems kind of important --
assuming it is legitimate.

It is legit, and although it could be bad for Debian, they
have been
incredible at turning this around to update and fix the
problem, but
also provide measures for you to check the keys on a Debian
or Ubuntu
machine.

Unfortunately there isn't anything at the moment to check
the same on
other Linux machines. But it's probably safe to say that any
keys in
your known_hosts or authorized_keys files that contain keys
from Debian
and Ubuntu machines, generated in the last 2 years are
suspect. This
particularly applies to anyone having a VCS repository that
authenticates using ssh keys.

At GlosLUG on Tuesday we had a debian maintainer give a
presentation
about the situation, explain how it happened and how to fix
the problem. 

Several of us had fun over the weekend and on Monday [1], as
we updated
lots of machines.

[1] http://use.
perl.org/~barbie/journal/36465

Cheers,
Barbie.
-- 
Birmingham Perl Mongers <http://birmingham.pm.org
>
Memoirs Of A Roadie <http://barbie.mis
sbarbell.co.uk>

I am by no means a system administrator, and we don't use
Debian.   I just
wanted to spread the word amongst the good Perl people. 
Sorry for the
convenience.

On Thu, May 22, 2008 at 1:14 AM, Barbie <barbiemissbarbell.co.uk> wrote:

> On Wed, May 21, 2008 at 09:50:31PM -0700, Jonathan
Lloyd wrote:
> > I received a message from the Association for
Computing and Machinery
> saying
> > that any SSL key generated on a Debian system
since May of 2006 could be
> > vulnerable to attack.  Seems kind of important --
assuming it is
> legitimate.
>
> It is legit, and although it could be bad for Debian,
they have been
> incredible at turning this around to update and fix the
problem, but
> also provide measures for you to check the keys on a
Debian or Ubuntu
> machine.
>
> Unfortunately there isn't anything at the moment to
check the same on
> other Linux machines. But it's probably safe to say
that any keys in
> your known_hosts or authorized_keys files that contain
keys from Debian
> and Ubuntu machines, generated in the last 2 years are
suspect. This
> particularly applies to anyone having a VCS repository
that
> authenticates using ssh keys.
>
> At GlosLUG on Tuesday we had a debian maintainer give a
presentation
> about the situation, explain how it happened and how to
fix the problem.
>
> Several of us had fun over the weekend and on Monday
[1], as we updated
> lots of machines.
>
> [1] http://use.perl.org/
~barbie/journal/36465<http://use.perl.org/%7Ebarbie/journ
al/36465>
>
> Cheers,
> Barbie.
> --
> Birmingham Perl Mongers <http://birmingham.pm.org
>
> Memoirs Of A Roadie <http://barbie.mis
sbarbell.co.uk>
>
>
>
>


-- 
Jonathan Lloyd
(714) 328-3249