Jan Luehr wrote: > Hello, > > Am Dienstag, 13. Mai 2008 schrieb Corey Hickey: >> Jan Luehr wrote: >>> Hello, >>> >>> Am Dienstag, 13. Mai 2008 schrieb Vincent Bernat: >>>> OoO En ce début d'après-midi nuageux du mardi 13 mai 2008, vers 14:06, >>>> >>>> Florian Weimer <[EMAIL PROTECTED]> disait: >>>>> Package : openssl >>>>> Vulnerability : predictable random number generator >>>> Some other random questions: >>>> - It seems that firefox does not handle CRL unless manually imported, >>>> correct? This means that in most cases already issued certificates >>>> are still vulnerable even revoked. A quick look seems to show that >>>> most software do not handle CRL at all. >>>> - As a maintainer of a package that have generated certificates using >>>> OpenSSL, how should we handle the issue? >>>> >>>> For the last question, I see several solutions: >>>> - the user has to read the DSA and handle it himself >>> Since some keys are generated automatically, (e.g. ssh host keys) users >>> will have to regenerate keys,they haven't generated in the first place >>> and might not be aware of their existens. >>> That's bad. >> Unless I'm gravely mistaken, SSH keys aren't affected by this >> vulnerability. OpenSSH and OpenSSL are separate, and your ssh program >> generated its own keys. > > As stated in the DSA: > »Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key > material for use in X.509 certificates and session keys used in SSL/TLS > connections. Keys generated with GnuPG or GNUTLS are not affected, > though.«
Yeah, I just realized OpenSSH uses libSSL; sorry for the noise. -Corey -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
