Debian-based OpenSSL keys -- vulnerable to attack?

Barbie barbie at
Thu May 22 09:14:12 BST 2008

On Wed, May 21, 2008 at 09:50:31PM -0700, Jonathan Lloyd wrote:
> I received a message from the Association for Computing and Machinery saying
> that any SSL key generated on a Debian system since May of 2006 could be
> vulnerable to attack.  Seems kind of important -- assuming it is legitimate.

It is legit, and although it could be bad for Debian, they have been
incredible at turning this around to update and fix the problem, but
also provide measures for you to check the keys on a Debian or Ubuntu

Unfortunately there isn't anything at the moment to check the same on
other Linux machines. But it's probably safe to say that any keys in
your known_hosts or authorized_keys files that contain keys from Debian
and Ubuntu machines, generated in the last 2 years are suspect. This
particularly applies to anyone having a VCS repository that
authenticates using ssh keys.

At GlosLUG on Tuesday we had a debian maintainer give a presentation
about the situation, explain how it happened and how to fix the problem. 

Several of us had fun over the weekend and on Monday [1], as we updated
lots of machines.


Birmingham Perl Mongers <>
Memoirs Of A Roadie <>

More information about the mailing list