Debian-based OpenSSL keys -- vulnerable to attack?

Jonathan Lloyd webmaster at
Thu May 22 17:06:52 BST 2008

I am by no means a system administrator, and we don't use Debian.   I just
wanted to spread the word amongst the good Perl people.  Sorry for the

On Thu, May 22, 2008 at 1:14 AM, Barbie <barbie at> wrote:

> On Wed, May 21, 2008 at 09:50:31PM -0700, Jonathan Lloyd wrote:
> > I received a message from the Association for Computing and Machinery
> saying
> > that any SSL key generated on a Debian system since May of 2006 could be
> > vulnerable to attack.  Seems kind of important -- assuming it is
> legitimate.
> It is legit, and although it could be bad for Debian, they have been
> incredible at turning this around to update and fix the problem, but
> also provide measures for you to check the keys on a Debian or Ubuntu
> machine.
> Unfortunately there isn't anything at the moment to check the same on
> other Linux machines. But it's probably safe to say that any keys in
> your known_hosts or authorized_keys files that contain keys from Debian
> and Ubuntu machines, generated in the last 2 years are suspect. This
> particularly applies to anyone having a VCS repository that
> authenticates using ssh keys.
> At GlosLUG on Tuesday we had a debian maintainer give a presentation
> about the situation, explain how it happened and how to fix the problem.
> Several of us had fun over the weekend and on Monday [1], as we updated
> lots of machines.
> [1]<>
> Cheers,
> Barbie.
> --
> Birmingham Perl Mongers <>
> Memoirs Of A Roadie <>

Jonathan Lloyd
(714) 328-3249

More information about the mailing list