[COLUG] Fwd: SERIOUS: Debian/Ubuntu OpenSSL/SSH/VPN Key
Vulnerability
Austin Godber
godber at uberhip.com
Tue May 13 13:54:19 EDT 2008
>
> A serious vulnerability related to OpenSSL, OpenSSH and OpenVPN has
> just materialized:
>
> http://www.ubuntu.com/usn/usn-612-1
> http://www.ubuntu.com/usn/usn-612-2
>
> This is particularly nasty because it affects the keys rather than
> the server or client software itself. So they keys are vulnerable
> and after updating they need to be regenerated. This affects Ubuntu
> 7.04, 7.10 and 8.04 as well as Debian 4.0. Even if you created an
> SSH key on one of these effected systems and copied it to a RedHat
> or CentOS machine then those machines could be vulnerable as well.
>
> I believe this also applies to SSL certificates generated on those
> systems.
>
> "All OpenSSH and X.509 keys generated on such systems must be
> considered untrustworthy, regardless of the system on which they are
> used, even after the update has been applied."
>
>
> Austin
More information about the colug432
mailing list