[COLUG] Fwd: SERIOUS: Debian/Ubuntu
OpenSSL/SSH/VPN Key Vulnerability
Duane
duane at e164.org
Tue May 13 22:14:22 EDT 2008
Duane wrote:
> Austin Godber wrote:
>>> A serious vulnerability related to OpenSSL, OpenSSH and OpenVPN has
>>> just materialized:
>
> Actually this OpenSSL vulnerability seems worst than I first thought. It
> seems that OpenSSL normally uses uninitialised memory as entropy and on
> the surface given the right set of circumstances the same entropy could
> be reused, or it could end up using a memory location that is all zeros
> which seems like a really really bad idea to me.
After digging deeper it seems it was a mistake only on the part of
Debian package maintainers, the OpenSSL guys didn't bother to clear the
memory space before filling it with random data because they saw no
point in doing it, although there was a compile flag that could have
been used to initialise the buffer to get rid of valgrind warnings, but
those that be decided to do their own thing instead.
--
Best regards,
Duane
http://www.freeauth.org - Enterprise Two Factor Authentication
http://www.nodedb.com - Think globally, network locally
http://www.sydneywireless.com - Telecommunications Freedom
http://e164.org - Global Communication for the 21st Century
"In the long run the pessimist may be proved right,
but the optimist has a better time on the trip."
More information about the colug432
mailing list