Here's the update on krb5 for Debian Lenny, based on a mail from Russ Allbery: (The status of Etch has changed; it isn't affected at all).
* MIT Kerberos itself does not generate long-term key pairs even when the PKINIT plugin is used, so any vulnerable long-term key pairs would have been generated outside of the MIT Kerberos software itself. The PKINIT plugin only references existing key pairs and isn't responsible for key management. * All of the random session key generation inside the PKINIT plugin is done using the regular MIT Kerberos random key functions, *not* the OpenSSL random number generator, and hence sessions created via PKINIT are not subject to this vulnerability. MIT Kerberos itself is not in affected. However, long-term key pairs used with PKINIT may be affected if generated on an affected Debian system, but such generation is external to MIT Kerberos. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
