[Sussex] SECURITY: SSH Keys Vulnerability On Debian and Debian-derived Distributions.

Steve Dobson steve.dobson at syscall.org.uk
Wed May 14 15:26:07 UTC 2008 

Hi Colin

On Wed, 2008-05-14 at 15:57 +0100, Colin Tuckley wrote:
> Steve Dobson wrote:
> 
> > Yesterday it was announced that there is a vulnerability in OpenSSL  in
> > Debian and Debian-derived distributions.
> 
> > If you're admining a Debian server then doing an {apt-get/aptitude}
> > dist-upgrade will the openssh packages and install a new one:
> > openssh-blacklist.  This give a new command:
> > 	
> > 	ssh-vulnkey -a
> 
> Two points:
> 
> 1) The vulnerability extends to secure keys that were used on systems which
> had the problem. so even a key generated on a red-hat system but used on a
> Debian system should be changed.

From the security notices I read this:

	This is a Debian-specific vulnerability which does not affect
	other operating systems which are not based on Debian. However,
	other systems can be indirectly affected if weak keys are
	imported into them.

I took that to mean that it was the only keys generated on a Debian
system are vulnerable, not those generated on other OSs.  A RedHat
system would only be vulnerable if a Debian generated key was installed.
Did I get that wrong?

> 2) The debian package openssh-blacklist is only available in *unstable* so far.

Well it must have just been prompted (Edited for email format):

 # cat /etc/apt/sources.list
 deb http://mirror..../debian etch main
 deb http://security.debian.org/ etch/updates main
 # dpkg -l | grep openssh
 ii  openssh-blacklist 0.1.1        list of blacklisted OpenSSH keys
 ii  openssh-client    4.3p2-9etch1 Secure shell client
 ii  openssh-server    4.3p2-9etch1 Secure shell server

I think you need up dist-upgrade again.  :-)

Steve

-- 
Steve Dobson

When your work speaks for itself, don't interrupt.
-- Henry J. Kaiser

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mailman.lug.org.uk/pipermail/sussex/attachments/20080514/5d993733/attachment.pgp

More information about the Sussex mailing list