Posted by Steve on Tue 13 May 2008 at 14:37
A new security advisory has recently been released relating to the Debian openssl package, and whilst most security updates are not news-worthy this one is. Read on for a brief overview of the problem.
The actual security announcement may be found here:
Quoting that announcement:
Luciano Bello discovered that the random number generator in Debian's openssl package is predictable. This is caused by an incorrect Debian-specific change to the openssl package (CVE-2008-0166). As a result, cryptographic key material may be guessable.
This is a Debian-specific vulnerability which does not affect other operating systems which are not based on Debian. However, other systems can be indirectly affected if weak keys are imported into them.
It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems is recreated from scratch. Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised; the Digital Signature Algorithm relies on a secret random value used during signature generation.
What does this mean?
What does this mean? It means, in short, that if you've generated SSH keys for logining into remote systems, and you've generated those keys upon a Debian etch system then people might be able to connect to that system, as you, without knowing the private part of the key.
Because the key-generation process was broken the keys are not as strong as they should be - to the extent that a brute-force attack is feasible.
What can you do to fix this?
There are two parts to this problem, and thus two solutions.
The first thing to do is to apply the security update. This will ensure that any future keys generated will be secure.
The harder step is to ensure that you've replaced any keys which you might have previously created.
Where can you learn more?
The Debian security site will contain more details, updating as required, at the following link:
This article can be found online at the Debian Administration website at the following bookmarkable URL:
This article is copyright 2008 Steve - please ask for permission to republish or translate.