OpenSSH vulnerability (Ubuntu and Debian hit)
Austin Godber
godber at uberhip.com
Tue May 13 11:05:24 MST 2008
Yeah, good thinking pointing that out. HUGE warning to everyone.
This isn't just something you can run an update and ignore. The KEYS
themselves are vulnerable, so every SSH host key, client key, openVPN
key or openssl cert created with one of these systems should be
considered vulnerable. If you made a key on a vulnerable machine and
put it on an unaffected machine they key is still bad.
Austin
On May 13, 2008, at 10:37 AM, Carlos Macedo Gomes wrote:
> Apologies if this has already vectored through your radar. A problem
> has surfaced with Debian and Ubuntu related to the PRN in OpenSSL (and
> therefore the keys in OpenSSH, OpenSSL, SSL, etc). Scope is limited
> to Debian and Ubuntu systems but the problem appears to have been
> around for a couple years.
>
> Ubuntu advisory is here:
> http://www.ubuntu.com/usn/usn-612-1
>
> Here's a (rantish) writeup on the *raison d'etre*:
> http://www.links.org/?p=327
>
> Check your primes...
>
> ymmv,
> C.G.
>
> --
> powerofprimes at gmail.com
> Carlos Macedo Gomes
> _sic itur ad astra_
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
More information about the PLUG-discuss
mailing list