Debian-based OpenSSL keys -- vulnerable to attack?
Jonathan Lloyd
webmaster at lifegames.org
Thu May 22 17:06:52 BST 2008
I am by no means a system administrator, and we don't use Debian. I just
wanted to spread the word amongst the good Perl people. Sorry for the
convenience.
On Thu, May 22, 2008 at 1:14 AM, Barbie <barbie at missbarbell.co.uk> wrote:
> On Wed, May 21, 2008 at 09:50:31PM -0700, Jonathan Lloyd wrote:
> > I received a message from the Association for Computing and Machinery
> saying
> > that any SSL key generated on a Debian system since May of 2006 could be
> > vulnerable to attack. Seems kind of important -- assuming it is
> legitimate.
>
> It is legit, and although it could be bad for Debian, they have been
> incredible at turning this around to update and fix the problem, but
> also provide measures for you to check the keys on a Debian or Ubuntu
> machine.
>
> Unfortunately there isn't anything at the moment to check the same on
> other Linux machines. But it's probably safe to say that any keys in
> your known_hosts or authorized_keys files that contain keys from Debian
> and Ubuntu machines, generated in the last 2 years are suspect. This
> particularly applies to anyone having a VCS repository that
> authenticates using ssh keys.
>
> At GlosLUG on Tuesday we had a debian maintainer give a presentation
> about the situation, explain how it happened and how to fix the problem.
>
> Several of us had fun over the weekend and on Monday [1], as we updated
> lots of machines.
>
> [1] http://use.perl.org/~barbie/journal/36465<http://use.perl.org/%7Ebarbie/journal/36465>
>
> Cheers,
> Barbie.
> --
> Birmingham Perl Mongers <http://birmingham.pm.org>
> Memoirs Of A Roadie <http://barbie.missbarbell.co.uk>
>
>
>
>
--
Jonathan Lloyd
(714) 328-3249
More information about the london.pm
mailing list