OpenSSL 0.9.8c-1 up to 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates predictable numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys. This vulnerability only affects Debian-based distributions and does not affect any Red Hat distributions.

How this affects OpenVPN:

Any keys which were generated on the vulnerable distributions (Debian, Ubuntu, Kubuntu) using openvpn --genkey or the easy-rsa scripts should be considered compromised, since the security of each of these operations would depend on the quality of the randomness provided by the underlying OpenSSL library. You would want to revoke these keys, and rebuild them after having applied the fix.


Reply via email to