Hello, Am Dienstag, 13. Mai 2008 schrieb Corey Hickey: > Jan Luehr wrote: > > Hello, > > > > Am Dienstag, 13. Mai 2008 schrieb Vincent Bernat: > >> OoO En ce début d'après-midi nuageux du mardi 13 mai 2008, vers 14:06, > >> > >> Florian Weimer <[EMAIL PROTECTED]> disait: > >>> Package : openssl > >>> Vulnerability : predictable random number generator > >> > >> Some other random questions: > >> - It seems that firefox does not handle CRL unless manually imported, > >> correct? This means that in most cases already issued certificates > >> are still vulnerable even revoked. A quick look seems to show that > >> most software do not handle CRL at all. > >> - As a maintainer of a package that have generated certificates using > >> OpenSSL, how should we handle the issue? > >> > >> For the last question, I see several solutions: > >> - the user has to read the DSA and handle it himself > > > > Since some keys are generated automatically, (e.g. ssh host keys) users > > will have to regenerate keys,they haven't generated in the first place > > and might not be aware of their existens. > > That's bad. > > Unless I'm gravely mistaken, SSH keys aren't affected by this > vulnerability. OpenSSH and OpenSSL are separate, and your ssh program > generated its own keys.
As stated in the DSA: »Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 certificates and session keys used in SSL/TLS connections. Keys generated with GnuPG or GNUTLS are not affected, though.« Keep smiling yanosz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
