[plug] Debian / Ubuntu SSL Security Vulnerability

Daniel Pittman daniel at rimspace.net
Tue May 27 21:14:08 WST 2008


"Ian Ball" <ian at iball.id.au> writes:

> I haven't seen this particular issue raised here yet, but there has
> been a major security issue with SSL found recently.  Basically, a bug
> in the SSL code has gone un-noticed, and caused encryption keys to be
> shorter than they should be.  This leaves systems vulnerable to
> attack...

As a note: not just Debian or derived systems; anything that was
accessed from an insecure system, or that used a key generated on an
insecure system, is at risk here.

[...]

> It is well worth applying the latest patches to your systems :) Also,
> all SSL keys will need to be re-generated to get around the
> vulnerability.

Not all keys, only those that were generated on the insecure machine.
Mine were safe (yay) because I generated them before the problematic
patches were added to Debian and never rolled them over (boo).

> This will affect you if you are running any secure applications, such
> as https or ssh.  Also, other apps like postfix may be affected.

Anything using OpenSSL to perform SSL, SSH or other encryption is at
risk.  That covers the vast majority of packages, especially as SSL keys
are almost exclusively documented to be generated with OpenSSL.

Regards,
        Daniel



More information about the plug mailing list