Yes, I read this earlier - hopefully it will encourage a bit more peer review, particularly on security related code. Really wouldn't have expected this to have happened in something so core on such a ubiquitous distro.
Very glad that I use Fedora on this occasion (not the first time either) - please don't take that as a slur I'm not trying to kick off a flame war ;-) Martin -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Rogers Sent: 14 May 2008 09:20 To: Peterborough LUG - No commercial posts Subject: [Peterboro] Debian/Ubuntu SSH vulnerability A Debian "improvement" to the stock openssh code has introduced a bug which means that the number of possible keys is reduced by a massive factor, from longer-than-all-the-time-in-the-universe for a brute force attack, to about-as-long-as-it-takes-the-kettle-to-boil. See: http://www.ubuntu.com/usn/usn-612-2 There are updates, but the problem is that fixing the cause of bad keys doesn't in itself fix the bad keys. Ubuntu have written a tool (which is included in the updates) to detect and replace bad keys, with the effect that next time you SSH into that server you find that the key has changed and you need to update ~/.ssh/known_hosts. However I found that the updates wouldn't install; openssh-server and openssh-client were being "held back". To fix this, I had to do: sudo apt-get update sudo apt-get install openssh-blacklist sudo apt-get upgrade Does this affect anyone here? Almost everyone using Ubuntu, I'd say. The implication is not, however, that an attacker can just get into your system; what it does mean is that protection against "man-in-the-middle" attacks is pretty much removed (where someone sits between you and your server intercepting your passwords etc). So everyone should be updating - this is a major flaw, introduced by someone being "helpful" at Debian by "fixing" code that wasn't broken in the core distribution. Not a good day for Debian's security reputation, it has to be said. Ubuntu 7.04, 7.10 and 8.04 are all affected. [Anyone with a better grasp of the implications please feel free to correct/update this.] -- Mark Rogers // More Solutions Ltd (Peterborough Office) // 0845 45 89 555 Registered in England (0456 0902) at 13 Clarke Rd, Milton Keynes, MK1 1LG _______________________________________________ Peterboro mailing list [email protected] https://mailman.lug.org.uk/mailman/listinfo/peterboro _______________________________________________ Peterboro mailing list [email protected] https://mailman.lug.org.uk/mailman/listinfo/peterboro
