OpenSSL vuln: Debian/Ubuntu - Security

This is a discussion on OpenSSL vuln: Debian/Ubuntu - Security ; The basic idea of it is Debian butchered their Openssl suite and it's been turning out weak/breakable keys. Since OpenSSL versions starting with 0.9.8c-1. The Sans article focuses on OpenSSH, but it's really deeper. The Debian page talks about OpenSSL. ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: OpenSSL vuln: Debian/Ubuntu

  1. OpenSSL vuln: Debian/Ubuntu


    The basic idea of it is Debian butchered their Openssl suite and it's been
    turning out weak/breakable keys. Since OpenSSL versions starting with
    0.9.8c-1. The Sans article focuses on OpenSSH, but it's really deeper.
    The Debian page talks about OpenSSL.

    http://isc.sans.org/diary.html?storyid=4414

    "Furthermore, all DSA keys ever used on affected Debian systems for
    signing or authentication purposes should be considered compromised; the
    Digital Signature Algorithm relies on a secret random value used during
    signature generation."


    http://www.debian.org/security/2008/dsa-1571

    "It is strongly recommended that all cryptographic key material which has
    been generated by OpenSSL versions starting with 0.9.8c-1 on Debian
    systems is recreated from scratch. Furthermore, all DSA keys ever used on
    affected Debian systems for signing or authentication purposes should be
    considered compromised;"



    --
    [** America, the police state **]
    Whoooose! What's that noise? Why, it's US citizen's
    rights, going down the toilet with Bush flushing.
    http://www.theregister.co.uk/2008/01..._nsa_internal/
    http://www.wired.com/politics/securi...007/08/wiretap
    http://www.hermes-press.com/police_state.htm
    http://www.privacyinternational.org/...D=x-347-559597


  2. Re: OpenSSL vuln: Debian/Ubuntu

    On 2008-05-15, jayjwa wrote:

    > The basic idea of it is Debian butchered their Openssl suite and it's been
    > turning out weak/breakable keys. Since OpenSSL versions starting with
    > 0.9.8c-1. The Sans article focuses on OpenSSH, but it's really deeper.


    Anything that uses OpenSSL generated keys or links to the defective
    Debian openssl libraries needs to be replaced. This could be your ssh
    keys, keys made for TLS mail transfer, self-generated certificates for
    your web site, etc.

    --

    John (john@os2.dhs.org)

  3. Re: OpenSSL vuln: Debian/Ubuntu

    Okay, I've gotta say, I really love Debian's effect on the linux
    community as a whole, but for the love of god how did they let
    something based on this:

    Quote from the coder:

    http://marc.info/?l=openssl-dev&m=114651085826293&w=2

    What I currently see as best option is to actually comment out
    those 2 lines of code. But I have no idea what effect this
    really has on the RNG. The only effect I see is that the pool
    might receive less entropy. But on the other hand, I'm not even
    sure how much entropy some unitialised data has.

    -=-=-=-
    ....into the frigging distribution? Talk about a stupid mistake!

  4. Re: OpenSSL vuln: Debian/Ubuntu

    I demand that Damo Gets may or may not have written...

    > Okay, I've gotta say, I really love Debian's effect on the linux community
    > as a whole, but for the love of god how did they let something based on
    > this:


    > Quote from the coder:


    > http://marc.info/?l=openssl-dev&m=114651085826293&w=2


    > What I currently see as best option is to actually comment out those 2
    > lines of code. But I have no idea what effect this really has on the RNG.
    > The only effect I see is that the pool might receive less entropy. But on
    > the other hand, I'm not even sure how much entropy some unitialised data
    > has.


    > ...into the frigging distribution? Talk about a stupid mistake!


    Some people think that the key to what happened here is the use and
    understanding of the word "debugging".

    Debian packages, at least the C or C++ parts, are normally built with "-O2
    -g", though with many packages, the debug info is then thrown away. The
    intent being that you can use the same package for normal use *and*
    debugging. It's reasonable to assume, therefore, that this is what Kurt
    Roeckx meant (despite the lack of any libssl*-dbg package).

    OpenSSL upstream, however, may well have understood it as a throwaway build
    for debugging purposes, with (and here's the really important bit) the
    changes made for debuggability also being thrown away afterwards. It isn't
    clear from Ulf Möller's follow-up message which is meant: "if it helps with
    debugging, I'm in favor (sic) of removing them".

    And I'm in favour of leaving in changes which are useful for debugging,
    though not necessarily of leaving them active by default. :-)

    --
    | Darren Salt | linux or ds at | nr. Ashington, | Toon
    | RISC OS, Linux | youmustbejoking,demon,co,uk | Northumberland | Army
    | + At least 4000 million too many people. POPULATION LEVEL IS UNSUSTAINABLE.

    You have literary talent that you should take pains to develop.

+ Reply to Thread