Kaizenlog

—————————————+
| Debian Bug Leaves Private SSL/SSH Keys Guessable                   |
|   from the security-is-a-process dept.                             |
|   posted by timothy on Tuesday May 13, @12:01 (Security)           |
|   http://it.slashdot.org/article.pl?sid=08/05/13/1533212 |
+——————————————————————–+

SecurityBob writes “Debian package maintainers tend to very often modify
the source code of the package they are maintaining so that it better
fits into the distribution itself. However, most of the time, their
changes are not sent back to upstream for validation, which might cause
some [0]tension between upstream developers and Debian packagers. Today,
[1]a critical security advisory has been released: a Debian packager
modified the source code of OpenSSL back in 2006 so as to remove the
seeding of OpenSSL random number generator, which in turns makes
cryptographic key material generated on a Debian system guessable. The
solution? Upgrade OpenSSL and re-generate all your SSH and SSL keys. This
problem not only affects Debian, but also all its derivatives, such as
Ubuntu.” Reader RichiH also points to [2]Debian’s announcement and
[3]Ubuntu’s announcement.

Discuss this story at:
http://it.slashdot.org/comments.pl?sid=08/05/13/1533212

Links:
0. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=477454
1. http://article.gmane.org/gmane.linux.debian.security.announce/1614
2. http://lists.debian.org/debian-security-announce/2008/msg00152.html
3. https://lists.ubuntu.com/archives/ubuntu-security-announce/2008-May/000705.html