[Klug-general] SSL bug
Andrew Miller (Spode)
spode at thinkbikes.com
Thu May 22 12:22:07 BST 2008
I guess the magnitude of this fault escaped me :)
On Thu, May 22, 2008 at 12:02 PM, George Prowse <cokehabit at gmail.com> wrote:
> Andrew Miller (Spode) wrote:
>
>> I'm running Ubuntu Server 8.04 and I did an update as soon as I heard
>> about the fix. It *automatically* regenerated new keys for me. I just had to
>> remove my server from my known_hosts file in order to login.
>>
>> Sure, it's a big issue - but did anyone actually exploit it? To be patched
>> up before anyone has actually exploited it is pretty good. Microsoft vuln.
>> are discovered and known for ages before repaired.
>>
>> But, I have to admit, (play devils advocate), it would certainly shake my
>> confidence as an outsider...
>>
>> Spode
>>
>
> I dont think you understand the scope of it, it isn't just a few users
> signing in and out, some people will have 5000 keys generated on each server
> each one signing everything from emails to logging in remotely. On top of
> that, EVERY KEY that has been generated on a debian based machine in the
> past 20 months is affected because the flaw is in their random number
> generator. Now add having to send all the new keys to verisign et al and you
> have a major cleanup operation.
>
> It was annoying enough for me signing in via ssh from an OSX box, then
> stopping to delete my cert keys and then having to do it again, imagine
> having to get people to do that half way across the world.
>
> Read these:
> http://www.regdeveloper.co.uk/2008/05/21/massive_debian_openssl_hangover/
> http://metasploit.com/users/hdm/tools/debian-openssl/
>
> _______________________________________________
> Kent mailing list
> Kent at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/kent
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.lug.org.uk/pipermail/kent/attachments/20080522/85433d43/attachment.html
More information about the Kent
mailing list