[Klug-general] SSL bug

Karl Lattimer karl at qdh.org.uk
Fri May 23 06:33:05 BST 2008 

On Thu, 2008-05-22 at 23:02 +0100, MacGyveR wrote:
> On Thursday 22 May 2008, George Prowse wrote:
> > Andrew Miller (Spode) wrote:
> > > I'm running Ubuntu Server 8.04 and I did an update as soon as I heard
> > > about the fix. It *automatically* regenerated new keys for me. I just
> > > had to remove my server from my known_hosts file in order to login.
> > >
> > > Sure, it's a big issue - but did anyone actually exploit it? To be
> > > patched up before anyone has actually exploited it is pretty good.
> > > Microsoft vuln. are discovered and known for ages before repaired.
> > >
> > > But, I have to admit, (play devils advocate), it would certainly shake
> > > my confidence as an outsider...
> > >
> > > Spode
> >
> > I dont think you understand the scope of it, it isn't just a few users
> > signing in and out, some people will have 5000 keys generated on each
> > server each one signing everything from emails to logging in remotely.
> > On top of that, EVERY KEY that has been generated on a debian based
> > machine in the past 20 months is affected because the flaw is in their
> > random number generator. Now add having to send all the new keys to
> > verisign et al and you have a major cleanup operation.
> >
> > It was annoying enough for me signing in via ssh from an OSX box, then
> > stopping to delete my cert keys and then having to do it again, imagine
> > having to get people to do that half way across the world.
> >
> > Read these:
> > http://www.regdeveloper.co.uk/2008/05/21/massive_debian_openssl_hangover/
> > http://metasploit.com/users/hdm/tools/debian-openssl/
> >
> > _______________________________________________
> > Kent mailing list
> > Kent at mailman.lug.org.uk
> > https://mailman.lug.org.uk/mailman/listinfo/kent
> 
> every key genered by or using openssh or openssl only as these contained the 
> code change which removed the rng
> 
> pgp for example is not vulnerable
> 

Oh well, its a good job I hadn't bothered with my gpg key yet, only my
ssh keys were worth it.

In light of the bug I think there was some panic, so thats probably why
I was told what I was told.

K,

More information about the Kent mailing list