As you may know a vulnerability has been found in recent openssl and openssh packages in Debian-based distros
http://metasploit.com/users/hdm/tools/debian-openssl/ In eBox's case only the Ubuntu-based installations are vulnerable. The older Debian based ones had a correct openssl version. You firstly need to upgrade to the new openssl and ssh package. You can use this command to do so: apt-get update apt-get install openssl ssh There are two affected eBox components: - eBox HTTPS server certificate - eBox CA certificates -eBox HTTPS server certificate You might create a new server certificate following those steps: - sudo rm -rf /var/lib/ebox/conf/ssl* - sudo /usr/share/ebox/ebox-create-certificate - sudo /etc/init.d/ebox apache restart In the next connection to the web interface, your browser will ask you about accepting the new certificate - eBox CA certificates There is not a easy fix here, you will need to go to the web interface and renew the CA. This will renew the CA's certificates. If you are using the openvpn you will need to distribute the new certificates and the current connections will be stopped. As last note I remind you if you that any openssl or ssh certificate created in a ubuntu-based eBox is unsafe and you nedd to revoke/renew/delete it. Cheers, Javier _______________________________________________ Ebox-user mailing list [email protected] https://lists.warp.es/mailman/listinfo/ebox-user
