If you don't use have any password-less logins set up, no need to worry (unless you generated your own SSL certs on these systems, which is also affected, so regenerate those too.)
http://isc.sans.org/diary.html?storyid=4420 The meat of it: "It is obvious that this is highly critical – if you are running a Debian or Ubuntu system, and you are using keys for SSH authentication (ironically, that's something we've been recommending for a long time), and those keys were generated between September 2006 and May 13th 2008 then you are vulnerable. In other words, those secure systems can be very easily brute forced. What's even worse, H D Moore said that he will soon release a brute force tool that will allow an attacker easy access to any SSH account that uses public key authentication." Whoops! If your SSH port faces the outside world and you have a vulnerable key, this basically means that all someone has to do is guess your username and a flurry of connection attempts later... owned! (And may $deity help you if you have a key set up for root!) Do not delay. Get the updated version and regenerate your keys NOW! -Mark C. _______________________________________________ clug-talk mailing list [email protected] http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
