OpenSSL 0.9.8c-1 up to 0.9.8g-9 on Debian-based operating systems uses a
random number generator that generates predictable numbers, which makes
it easier for remote attackers to conduct brute force guessing attacks
against cryptographic keys. This vulnerability only affects
Debian-based distributions and does not affect any Red Hat distributions.
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0166
How this affects OpenVPN:
Any keys which were generated on the vulnerable distributions (Debian,
Ubuntu, Kubuntu) using openvpn --genkey or the easy-rsa scripts should
be considered compromised, since the security of each of these
operations would depend on the quality of the randomness provided by the
underlying OpenSSL library. You would want to revoke these keys, and
rebuild them after having applied the fix.
James
