* Andrew McGlashan [EMAIL PROTECTED] wrote:
Hi,
Florian Weimer wrote:
Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key
material for use in X.509 certificates and session keys used in
SSL/TLS connections. Keys generated with GnuPG or GNUTLS are
not affected, though.
So
The Ubuntu openssl maintainers released a openssl-blacklist equivalent
to the openssh-blacklist package. It includes a blacklist with
compromised openssl key hashes and a program with a openssl-vulnkey
program suitable to test your openssl key files.
I think it would be a good think to
Hi Alberto,
Alberto Gonzalez Iniesta schrieb:
On Mon, May 19, 2008 at 01:13:46PM +0200, Christoph Martin wrote:
The Ubuntu openssl maintainers released a openssl-blacklist equivalent
to the openssh-blacklist package. It includes a blacklist with
compromised openssl key hashes and a program
On Tue, May 20, 2008 at 04:48:43PM +0200, Christoph Martin wrote:
Hi Alberto,
Alberto Gonzalez Iniesta schrieb:
On Mon, May 19, 2008 at 01:13:46PM +0200, Christoph Martin wrote:
The Ubuntu openssl maintainers released a openssl-blacklist equivalent
to the openssh-blacklist package. It
Hi Alberto,
Alberto Gonzalez Iniesta schrieb:
The package is being build by its original author (Jamie) and everything
got started when the OpenVPN maintainer (me) decided to add secret/key
file validation like the one on the Ubuntu package. Since those
validations required
Hi Christoph,
On Tue, May 20, 2008 at 05:56:56PM +0200, Christoph Martin wrote:
Alberto Gonzalez Iniesta schrieb:
The package is being build by its original author (Jamie) and everything
got started when the OpenVPN maintainer (me) decided to add secret/key
file validation like the one on
Hi, you wrote:
(...)
A detector for known weak key material will be published at:
http://security.debian.org/project/extra/dowkd/dowkd.pl.gz
http://security.debian.org/project/extra/dowkd/dowkd.pl.gz.asc
(OpenPGP signature)
(...)
Thank you for providing a perl script to check for
On May 17, 2008, at 1:34 PM, Matteo Vescovi wrote:
are there updates for this issue for old stable - sarge?
It was said sarge is not affected,
Bear in mind that you still want blacklist support for the various
tools, not just for the known_hosts and authorized_keys; but also for
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 05/17/2008 12:55 PM, Dimitar Dobrev wrote:
Hi group,
are there updates for this issue for old stable - sarge?
It was said sarge is not affected, iirc.
Greetings,
mfv
- --
Matteo F. Vescovi
System Administrator
Studio Vescovi
* Dimitar Dobrev [EMAIL PROTECTED] wrote:
Hi group,
are there updates for this issue for old stable - sarge?
You should read what you quote:
The first vulnerable version, 0.9.8c-1, was uploaded to the unstable
distribution on 2006-09-17, and has since propagated to the testing
and
Hi,
On Sat, May 17, 2008 at 12:55 PM, Dimitar Dobrev [EMAIL PROTECTED] wrote:
Hi group,
are there updates for this issue for old stable - sarge?
The first vulnerable version, 0.9.8c-1, was uploaded to the unstable
distribution on 2006-09-17, and has since propagated to the testing and
Hi Dimitar,
* Dimitar Dobrev [EMAIL PROTECTED] [2008-05-17 13:48]:
are there updates for this issue for old stable - sarge?
sarge is not affected and besides that the security support
for sarge ended quite some time ago.
cheers
nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] -
* Henrique de Moraes Holschuh:
It's not so much a time issue, is a question of storage (or getting that
data to the OpenSSH server). A networked service would be feasible, but
it would also allow some sort of traffic analysis.
I did mean putting a lot of brain grease on it. Math might
OoO En ce début d'après-midi nuageux du samedi 17 mai 2008, vers 14:15,
Nico Golde [EMAIL PROTECTED] disait:
are there updates for this issue for old stable - sarge?
sarge is not affected
I suppose that people may still be interested in blacklist support.
and besides that the security
Hi Vincent,
* Vincent Bernat [EMAIL PROTECTED] [2008-05-17 21:12]:
OoO En ce début d'après-midi nuageux du samedi 17 mai 2008, vers 14:15,
Nico Golde [EMAIL PROTECTED] disait:
are there updates for this issue for old stable - sarge?
sarge is not affected
I suppose that people may
On mar, 2008-05-13 at 23:39 -0300, Henrique de Moraes Holschuh wrote:
It is probably worth a lot of effort to fully map the entire set of
keys
the broken openssl could generate, and find a very fast way to check
if
a key belong to that set. And add that to openssl upstream (to
On Dienstag, 13. Mai 2008, Vincent Bernat wrote:
- As a maintainer of a package that have generated certificates using
OpenSSL, how should we handle the issue?
I'm in the same situation (maintaining openswan and strongswan, and both
packages may automatically create X.509 certificates in
Am Mittwoch, den 14.05.2008, 09:35 +0200 schrieb Rene Mayrhofer:
rm /etc/ssh/ssh_host_*
dpkg-reconfigure openssh-server
/etc/init.d/ssh restart
FWIW, the dpkg-reconfigure openssh-server does the restart implicitly,
you don't need to explicitly do a restart afterwards, again.
Who is
On Wed, 14 May 2008 07:59:58 +0200, Yves-Alexis Perez wrote:
On mar, 2008-05-13 at 23:39 -0300, Henrique de Moraes Holschuh wrote:
It is probably worth a lot of effort to fully map the entire set of
keys
the broken openssl could generate, and find a very fast way to check if
a key belong
* Sam Morris:
I agree it would be neat if someone with a powerful machine could
generate all possible keys. I don't know how long that would take
however...
It's not so much a time issue, is a question of storage (or getting that
data to the OpenSSH server). A networked service would be
On Wed, 14 May 2008, Sam Morris wrote:
Not quite... Once the update is applied, weak user keys will be
automatically rejected where possible (though they cannot be detected in
all cases).
I agree it would be neat if someone with a powerful machine could
generate all possible keys. I
On Wed, 14 May 2008, Florian Weimer wrote:
I agree it would be neat if someone with a powerful machine could
generate all possible keys. I don't know how long that would take
however...
It's not so much a time issue, is a question of storage (or getting that
data to the OpenSSH
On Tue, May 13, 2008 at 02:06:39PM +0200, Florian Weimer wrote:
A detector for known weak key material will be published at:
http://security.debian.org/project/extra/dowkd/dowkd.pl.gz
http://security.debian.org/project/extra/dowkd/dowkd.pl.gz.asc
(OpenPGP signature)
On stable I get
On Tue, May 13, 2008 at 02:06:39PM +0200, Florian Weimer wrote:
It is strongly recommended that all cryptographic key material which has
been generated by OpenSSL versions starting with 0.9.8c-1 on Debian
systems is recreated from scratch.
Does openssh store the generation date in the SSH
On 13/05/2008, Stephane Bortzmeyer wrote:
By the way, the page
http://www.debian.org/security/cve-compatibility has a link
http://security-tracker.debian.org/, labeled The Debian Security
Tracker has the canonical list of CVE names, corresponding Debian
packages, and this link is broken:
* Dominic Hargreaves:
On Tue, May 13, 2008 at 02:06:39PM +0200, Florian Weimer wrote:
http://security.debian.org/project/extra/dowkd/dowkd.pl.gz.asc
(OpenPGP signature)
This URL 404s (but the tool URL doesn't... possibly encouraging bad
practice in running unverified code)
Yeah,
* Marcin Owsiany:
On Tue, May 13, 2008 at 02:06:39PM +0200, Florian Weimer wrote:
It is strongly recommended that all cryptographic key material which has
been generated by OpenSSL versions starting with 0.9.8c-1 on Debian
systems is recreated from scratch.
Does openssh store the generation
very bad news
On Tue, 13 May 2008 14:06:39 +0200, Florian Weimer [EMAIL PROTECTED]
wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
-
Debian Security Advisory DSA-1571-1 [EMAIL PROTECTED]
On Tuesday 13 of May 2008, Dominic Hargreaves wrote:
On Tue, May 13, 2008 at 02:06:39PM +0200, Florian Weimer wrote:
http://security.debian.org/project/extra/dowkd/dowkd.pl.gz.asc
(OpenPGP signature)
This URL 404s (but the tool URL doesn't... possibly encouraging bad
practice in
Am Dienstag, den 13.05.2008, 16:02 +0200 schrieb Daniel Leidert:
Am Dienstag, den 13.05.2008, 15:27 +0200 schrieb Philipp Kern:
On Tue, May 13, 2008 at 02:06:39PM +0200, Florian Weimer wrote:
A detector for known weak key material will be published at:
On Tue, May 13, 2008 at 03:44:24PM +0200,
Cyril Brulebois [EMAIL PROTECTED] wrote
a message of 31 lines which said:
By the way, the page
http://www.debian.org/security/cve-compatibility has a link
http://security-tracker.debian.org/, labeled The Debian Security
Tracker has the
On Tue, May 13, 2008 at 04:17:03PM +0200, Florian Weimer wrote:
The $db-close call is wrong, you can just remove it, or download the
new version (where this should be fixed).
Works now, thanks.
Kind regards,
Philipp Kern
--
.''`. Philipp Kern Debian Developer
:
* Florian Weimer [EMAIL PROTECTED] [2008-05-13 14:06 +0200]:
Luciano Bello discovered that the random number generator in Debian's
openssl package is predictable. This is caused by an incorrect
Debian-specific change to the openssl package (CVE-2008-0166). As a
result, cryptographic key
* Nicolas Rachinsky:
The diffs
http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/rand/md_rand.c?rev=141view=diffr1=141r2=140p1=openssl/trunk/rand/md_rand.cp2=/openssl/trunk/rand/md_rand.c
and
Am Dienstag, den 13.05.2008, 15:27 +0200 schrieb Philipp Kern:
On Tue, May 13, 2008 at 02:06:39PM +0200, Florian Weimer wrote:
A detector for known weak key material will be published at:
http://security.debian.org/project/extra/dowkd/dowkd.pl.gz
Am Dienstag, den 13.05.2008, 15:51 +0200 schrieb Stephane Bortzmeyer:
On Tue, May 13, 2008 at 03:44:24PM +0200,
packages, and this link is broken: there is no
security-tracker.debian.org.
Just in case you don't know about it yet, try .net.
Nice and useful but the Web page should be
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Florian Weimer said:
The first vulnerable version, 0.9.8c-1, was uploaded to the unstable
distribution on 2006-09-17, and has since propagated to the testing and
current stable (etch) distributions. The old stable distribution
(sarge) is not
Hello,
Am Dienstag, 13. Mai 2008 schrieb [EMAIL PROTECTED]:
[] openssl - predictable random number generator
very bad news
indeed - since I have to chip certificates for multiple OpenVPN networks :(
(This time, I'll do it on OpenBSD ;)
However, I'm curious: I could this happen? (Although
OoO En ce début d'après-midi nuageux du mardi 13 mai 2008, vers 14:06,
Florian Weimer [EMAIL PROTECTED] disait:
Package: openssl
Vulnerability : predictable random number generator
Some other random questions:
- It seems that firefox does not handle CRL unless manually imported,
On Tue, May 13, 2008 at 07:38:27PM +, Sam Morris wrote:
On Tue, 13 May 2008 21:29:53 +0200, Vincent Bernat wrote:
- It seems that firefox does not handle CRL unless manually imported,
correct? This means that in most cases already issued certificates
are still vulnerable
Hello,
Am Dienstag, 13. Mai 2008 schrieb Vincent Bernat:
OoO En ce début d'après-midi nuageux du mardi 13 mai 2008, vers 14:06,
Florian Weimer [EMAIL PROTECTED] disait:
Package: openssl
Vulnerability : predictable random number generator
Some other random questions:
- It
On Tue, May 13, 2008 at 3:52 PM, Jan Luehr [EMAIL PROTECTED] wrote:
For the last question, I see several solutions:
- the user has to read the DSA and handle it himself
Since some keys are generated automatically, (e.g. ssh host keys) users will
have to regenerate keys,they haven't
OoO En cette soirée bien amorcée du mardi 13 mai 2008, vers 22:21, John
Keimel [EMAIL PROTECTED] disait:
Since some keys are generated automatically, (e.g. ssh host keys) users will
have to regenerate keys,they haven't generated in the first place and might
not be aware of their existens.
Jan Luehr wrote:
Hello,
Am Dienstag, 13. Mai 2008 schrieb Corey Hickey:
Jan Luehr wrote:
Hello,
Am Dienstag, 13. Mai 2008 schrieb Vincent Bernat:
OoO En ce début d'après-midi nuageux du mardi 13 mai 2008, vers 14:06,
Florian Weimer [EMAIL PROTECTED] disait:
Package: openssl
On Tue, May 13, 2008 at 4:31 PM, Vincent Bernat [EMAIL PROTECTED] wrote:
OoO En cette soirée bien amorcée du mardi 13 mai 2008, vers 22:21, John
Keimel [EMAIL PROTECTED] disait:
Since some keys are generated automatically, (e.g. ssh host keys) users
will
have to regenerate keys,they
Hello,
Am Dienstag, 13. Mai 2008 schrieb Corey Hickey:
Jan Luehr wrote:
Hello,
Am Dienstag, 13. Mai 2008 schrieb Vincent Bernat:
OoO En ce début d'après-midi nuageux du mardi 13 mai 2008, vers 14:06,
Florian Weimer [EMAIL PROTECTED] disait:
Package: openssl
Jan Luehr wrote:
Hello,
Am Dienstag, 13. Mai 2008 schrieb Vincent Bernat:
OoO En ce début d'après-midi nuageux du mardi 13 mai 2008, vers 14:06,
Florian Weimer [EMAIL PROTECTED] disait:
Package: openssl
Vulnerability : predictable random number generator
Some other random
OoO En cette soirée bien amorcée du mardi 13 mai 2008, vers 22:38, John
Keimel [EMAIL PROTECTED] disait:
Restarting OpenSSH do not close existing connections.
Yes, that's correct. I agree.
But the instructions I saw were for 'shutting down the SSHD server' -
not just 'restarting it'.
Hello,
Am Dienstag, 13. Mai 2008 schrieb John Keimel:
On Tue, May 13, 2008 at 4:31 PM, Vincent Bernat [EMAIL PROTECTED] wrote:
OoO En cette soirée bien amorcée du mardi 13 mai 2008, vers 22:21, John
Keimel [EMAIL PROTECTED] disait:
Since some keys are generated automatically, (e.g.
On Tue, May 13, 2008 at 10:53:25PM +0200, Jan Luehr wrote:
rm /etc/ssh/ssh_host_*
ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ''
ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ''
/etc/init.d/ssh restart
- job done.
Keep smiling
yanosz
Shorter one:
rm /etc/ssh/ssh_host_*
On May 13, 2008, at 2:35 PM, dererk wrote:
On Tue, May 13, 2008 at 10:53:25PM +0200, Jan Luehr wrote:
rm /etc/ssh/ssh_host_*
ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ''
ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ''
/etc/init.d/ssh restart
- job done.
Keep smiling
yanosz
Jan Luehr wrote:
However, I'm curious: [how] could this happen?
This is the best explanation I've seen so far :
http://it.slashdot.org/comments.pl?sid=551636cid=23392602
I have no idea if it's correct, but it sounds very plausible.
If there was any mistake it may have been to try too hard
52 matches
Mail list logo
