Your message dated Mon, 10 Feb 2014 03:28:01 +0000 with message-id <[email protected]> and subject line Re: Bug#482023: new generated keys are vulnerable has caused the Debian Bug report #482023, regarding new generated keys are vulnerable to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 482023: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=482023 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: openssh-server Version: 1:4.3p2-9etch2 Severity: normal after installing 1:4.3p2-9etch2 my host keys were regenerated, but the new keys are reported to be vulnerable, too. I can reproduce that: # vim /var/cache/debconf/config.dat ... delete seen flag for ssh/vulnerable_host_keys # dpkg-reconfigure openssh-server ... message "Vulnerable host keys will be regenerated" Creating SSH2 RSA key; this may take some time ... Creating SSH2 DSA key; this may take some time ... Host key 15:2b:b1:5a:26:05:5b:ca:45:39:ea:12:a2:59:ea:dc blacklisted (see ssh-vulnkey(1)) Host key 81:bc:50:f6:1e:ab:5d:82:96:ca:3c:4f:90:22:23:c5 blacklisted (see ssh-vulnkey(1)) Restarting OpenBSD Secure Shell server: sshdHost key 15:2b:b1:5a:26:05:5b:ca:45:39:ea:12:a2:59:ea:dc blacklisted (see ssh-vulnkey(1)) Host key 81:bc:50:f6:1e:ab:5d:82:96:ca:3c:4f:90:22:23:c5 blacklisted (see ssh-vulnkey(1)) . After repeating the above receipt the key fingerprints change. The problem is that my system has a libssl from testing (i.e. 0.9.8g-8). Maybe openssh-server should conflict with the vulnerable versions of libssl? Or the newly generated keys should be checked resulting in a warning if they are still vulnerable. A fixed libssl version for testing-proposed-updated would be great, too. (But this it OT for this report.) Installing libssl from unstable and reconfiguring openssh-server (after deleting the seen flag) fixed the problem. Best regards Uwe -- System Information: Debian Release: 4.0 APT prefers proposed-updates APT policy: (900, 'proposed-updates'), (900, 'stable'), (300, 'testing-proposed-updates'), (300, 'testing'), (200, 'unstable'), (2, 'experimental') Architecture: amd64 (x86_64) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.24-1-amd64 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages openssh-server depends on: ii add 3.102 Add and remove users and groups ii deb 1.5.11etch2 Debian configuration management sy ii dpk 1.14.16.6 package maintenance system for Deb ii lib 2.7-10 GNU C Library: Shared libraries ii lib 1.39+1.40-WIP-2006.11.14+dfsg-2etch1 common error description library ii lib 1.6.dfsg.3~beta1-4 MIT Kerberos runtime libraries ii lib 0.79-5 Pluggable Authentication Modules f ii lib 0.79-5 Runtime support for the PAM librar ii lib 0.99.7.1-6 Pluggable Authentication Modules l ii lib 1.32-3 SELinux shared libraries ii lib 0.9.8g-8 SSL shared libraries ii lib 7.6.dbs-13 Wietse Venema's TCP wrappers libra ii ope 0.1.1 list of blacklisted OpenSSH RSA an ii ope 1:4.3p2-9etch2 Secure shell client, an rlogin/rsh ii zli 1:1.2.3.3.dfsg-12 compression library - runtime openssh-server recommends no packages. -- debconf information: * ssh/vulnerable_host_keys: ssh/new_config: true * ssh/use_old_init_script: true ssh/encrypted_host_key_but_no_keygen: ssh/disable_cr_auth: false -- Uwe Kleine-König, Software Engineer Digi International GmbH Branch Breisach, Küferstrasse 8, 79206 Breisach, Germany Tax: 315/5781/0242 / VAT: DE153662976 / Reg. Amtsgericht Dortmund HRB 13962
--- End Message ---
--- Begin Message ---On Tue, May 20, 2008 at 02:16:55PM +0200, Uwe Kleine-König wrote: > Florian Weimer wrote: > > testing has received the fixed version on 2008-05-11. There's no need > > to involve testing-proposed-updates. > > You're right. I saw that I got a new openssl after I installed the > security updates and already thought that this part of my report is > obsolete. As usual that happend after sending the report :-( It looks like this bug has been long since handled, so closing. Thanks, -- Colin Watson [[email protected]]
--- End Message ---
