Yeah, good thinking pointing that out. HUGE warning to everyone.
This isn't just something you can run an update and ignore. The KEYS
themselves are vulnerable, so every SSH host key, client key, openVPN
key or openssl cert created with one of these systems should be
considered vulnerable. If you made a key on a vulnerable machine and
put it on an unaffected machine they key is still bad.
Austin
On May 13, 2008, at 10:37 AM, Carlos Macedo Gomes wrote:
> Apologies if this has already vectored through your radar. A problem
> has surfaced with Debian and Ubuntu related to the PRN in OpenSSL (and
> therefore the keys in OpenSSH, OpenSSL, SSL, etc). Scope is limited
> to Debian and Ubuntu systems but the problem appears to have been
> around for a couple years.
>
> Ubuntu advisory is here:
> http://www.ubuntu.com/usn/usn-612-1
>
> Here's a (rantish) writeup on the *raison d'etre*:
> http://www.links.org/?p=327
>
> Check your primes...
>
> ymmv,
> C.G.
>
> --
> powerofprimes@gmail.com
> Carlos Macedo Gomes
> _sic itur ad astra_
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)