[Klug-general] SSL bug

MacGyveR macgyver at thedumbterminal.co.uk
Thu May 22 23:07:30 BST 2008


On Thursday 22 May 2008, George Prowse wrote:
> Andrew Miller (Spode) wrote:
> > I'm running Ubuntu Server 8.04 and I did an update as soon as I heard
> > about the fix. It *automatically* regenerated new keys for me. I just
> > had to remove my server from my known_hosts file in order to login.
> >
> > Sure, it's a big issue - but did anyone actually exploit it? To be
> > patched up before anyone has actually exploited it is pretty good.
> > Microsoft vuln. are discovered and known for ages before repaired.
> >
> > But, I have to admit, (play devils advocate), it would certainly shake
> > my confidence as an outsider...
> >
> > Spode
>
> I dont think you understand the scope of it, it isn't just a few users
> signing in and out, some people will have 5000 keys generated on each
> server each one signing everything from emails to logging in remotely.
> On top of that, EVERY KEY that has been generated on a debian based
> machine in the past 20 months is affected because the flaw is in their
> random number generator. Now add having to send all the new keys to
> verisign et al and you have a major cleanup operation.
>
> It was annoying enough for me signing in via ssh from an OSX box, then
> stopping to delete my cert keys and then having to do it again, imagine
> having to get people to do that half way across the world.
>
> Read these:
> http://www.regdeveloper.co.uk/2008/05/21/massive_debian_openssl_hangover/
> http://metasploit.com/users/hdm/tools/debian-openssl/
>
> _______________________________________________
> Kent mailing list
> Kent at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/kent

every key genered by or using openssh or openssl only as these contained the 
code change which removed the rng

pgp for example is not vulnerable


-- 
--------------------------------
http://www.thedumbterminal.co.uk



More information about the Kent mailing list