Mario 'BitKoenig' Holbe [EMAIL PROTECTED] wrote:
ssh-dss.c:ssh_dss_sign() calls openssh's DSA_do_sign() which finally
^
openssl's, of course.
regards
Mario
--
The social dynamics of the net are a direct consequence of the fact that
nobody has yet
On Thu, May 15, 2008 at 10:37:37AM +1000, Andrew McGlashan wrote:
Okay, if we updated (on stable):
openssl_0.9.8c-4etch3_i386.deb
libssl0.9.8_0.9.8c-4etch3_i386.deb
Then re-generated all keys and certificates.
Then you are fine.
Later we get these updates:
Hello all,
thanks for the quick response to the SSL bug and for providing ssh-vulnkey and
dokuwd.pl. SSH-VULNKEY produces funny output when processing authorized_keys
with additional options like from=host, command=something to do,
no-agent-forwarding, etc...
Instead of the file name it
On Thu, May 15, 2008 at 09:52:10AM +0200, Vladislav Kurz wrote:
It would be also helpful to print the line as dokuwd.pl does.
Is there any repository with newer versions of ssh-vulnkey or dokuwd.pl ?
Try the Ubuntu version which contains a fixed ssh-vulnkey (
http://www.ubuntu.com/usn/usn-612-5
On Thu, May 15, 2008 at 11:08:58AM +0300, Mikko Rapeli wrote:
It would be also helpful to print the line as dokuwd.pl does.
Is there any repository with newer versions of ssh-vulnkey or dokuwd.pl ?
Try the Ubuntu version which contains a fixed ssh-vulnkey (
Hi all!
I was wondering how bad this actually is and it looks extremely horrible. In
practice, all data transmitter over the wire for the last two years and be
snooped upon (if someone has captured it - and the paranoid must assume
someone has).
Trusting on the security of ssh, we have, for
Juha Jäykkä [EMAIL PROTECTED] writes:
However, ever since we started using Heimdal, we have used GSSAPI
authentication by default, which, to my understanding, does not rely on
SSH host or user keys, but bases all its crypto on Kerberos. Does this
mean data transmitted over
Russ Allbery [EMAIL PROTECTED] writes:
Keys based on user passwords should be fine.
However, I was just reminded that Kerberos password changes with Heimdal
similarly use OpenSSL to generate the session key, and therefore password
change sessions are subject to the same possible attack by
http://www.securityfocus.com/archive/1/492112/30/0/threaded
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Juha Jäykkä wrote:
Just count how many times you've used GPG over one of
the weak links...
Zero!
Zero gpg invocations over network links!
--
see shy jo, with apologies to countmail
signature.asc
Description: Digital signature
I was able to find blacklist.RSA-1024 in Ubuntu's openssl-blacklist
package, and (fortunately) found that my 1024-bit RSA keys are in fact
not blacklisted.
--
http://www.doorstop.net/
signature.asc
Description: Digital signature
I'm a bit concerned about the many 1024-bit RSA keys I have on my
system. To be on the safe side, I'm removing them and replacing them
with newly-generated 2048-bit keys.
I wonder though, why there's no blacklist.RSA-1024 in the
openssh-blacklist package? Running ssh-vulnkey tells me Unknown
* Vineet Kumar ([EMAIL PROTECTED]) [080515 10:39]:
I was able to find blacklist.RSA-1024 in Ubuntu's openssl-blacklist
package, and (fortunately) found that my 1024-bit RSA keys are in fact
not blacklisted.
I guess this is probably because those keys were generated before
openssl 0.9.8c-1. So
Hallo Vineet,
At 15.05.2008, Vineet Kumar wrote
I was able to find blacklist.RSA-1024 in Ubuntu's openssl-blacklist
package, and (fortunately) found that my 1024-bit RSA keys are in fact
not blacklisted.
On what hardware platform your keys were generated?
A friend tested to generate a key
* Joey Hess [EMAIL PROTECTED] [2008-05-15 09:57-0400]:
Juha Jäykkä wrote:
Just count how many times you've used GPG over one of
the weak links...
Zero!
Zero gpg invocations over network links!
This is Just to Say
I have invoked
gpg
over the
network links
and which
was probably not
Guido Hennecke wrote:
At 15.05.2008, Vineet Kumar wrote
I was able to find blacklist.RSA-1024 in Ubuntu's openssl-blacklist
package, and (fortunately) found that my 1024-bit RSA keys are in fact
not blacklisted.
On what hardware platform your keys were generated?
A friend tested to generate
--
[EMAIL PROTECTED]
http://www.linuxiso.cl
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Hi list,
I want to say: Thank you!
Why? The Debian developers seems the only developers, who investigated
the openssl code and not just used it. They found a strange thing in
the OpenSSL Code, asked the OpenSSL people and after all, they removed
the potentielly dangerous code peace.
OK, this
On 080515 at 22:20, Guido Hennecke wrote:
I want to say: Thank you!
Me too, but mostly for how quick+open the situation was and is handled.
I especially like that sshd doesn't accept weak keys anymore. I think
similar efforts should be made to check for weak keys in other
locations and at least
On Thu, May 15, 2008 at 09:52:10AM +0200, Vladislav Kurz wrote:
Hello all,
thanks for the quick response to the SSL bug and for providing ssh-vulnkey
and
dokuwd.pl. SSH-VULNKEY produces funny output when processing authorized_keys
with additional options like from=host, command=something
On May 15, 2008, at 6:25 PM, Alex Samad wrote:
is there away to check x509 certs with these tools ?
Yes - the wiki has one (http://wiki.debian.org/SSLkeys) but you might
prefer the openssl-blacklist package which Ubuntu prepared:
https://launchpad.net/ubuntu/+source/openssl-blacklist/
It
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 15-05-2008 20:43, Chris Adams wrote:
On May 15, 2008, at 6:25 PM, Alex Samad wrote:
is there away to check x509 certs with these tools ?
Yes - the wiki has one (http://wiki.debian.org/SSLkeys) but you might
prefer the openssl-blacklist
Simon Valiquette [EMAIL PROTECTED] writes:
It seems that people are insisting quite a lot on the bad keys, but
what worry me a lot more is that, apparently and very logically, past
ssh connections and any SSL session keys are to be considered
compromised.
After hastily reviewing the
On Thu, May 15, 2008 at 07:43:13PM -0400, Chris Adams wrote:
On May 15, 2008, at 6:25 PM, Alex Samad wrote:
is there away to check x509 certs with these tools ?
Yes - the wiki has one (http://wiki.debian.org/SSLkeys) but you might
prefer the openssl-blacklist package which Ubuntu prepared:
On jeu, 2008-05-15 at 23:38 +0200, Steffen Schulz wrote:
or what its worth...I see 3.5 problems that accumulated into this
mess:
- OpenSSL is complex and critical but the code is little documented.
Code pieces like the ones in question should have warning-labels
printed all over them
On Fri, May 16, 2008 at 07:47:31AM +0200, Yves-Alexis Perez wrote:
On jeu, 2008-05-15 at 23:38 +0200, Steffen Schulz wrote:
or what its worth...I see 3.5 problems that accumulated into this
mess:
- OpenSSL is complex and critical but the code is little documented.
Code pieces like
26 matches
Mail list logo