Debian Security Flaw

August 28th, 2008 by Mitch Frazier

The debian security flaw and the supposed attacks were pointed out to me earlier today. There's a blurb about it here on LJ. The US-CERT warning is here. The original debian advisory about the actual bug is here. I say "supposed attacks" cuz if the government says it, I'm skeptical, but that's another can of worms...

Instead of just rehashing what the security advisory says and what evvvverrrrybody else has already said I thought I'd see if I could actually see what the original patch was. Well that didn't really work out, I downloaded the patch referenced from the debian advisory page and took a look at it, but it's got numerous other fixes included and this specific fix was not obvious.

The last changelog entry is:

+openssl (0.9.8c-4etch3) stable-security; urgency=high
+
+  * Re-introducing seeding of the random number generator.  Patch from the
+    maintainer.
+
+ -- .... <....@...>  Thu, 08 May 2008 01:58:40 +0200

Which based on what I understand about the problem sounds like the culprit. It's also the only entry with about the right date.

So with that I went to the debian subversion repository to see if I could look at the isolated change, without all the other changes. Well, that didn't work out too well either because it doesn't appear to me that the change was ever committed to the repository. Of course, I suspect it has or there's a good reason why it isn't there and I'm just missing something, but it would be nice if somebody could confirm that everything's ok.

__________________________

Mitch Frazier is an Associate Editor for Linux Journal and the Web Editor for linuxjournal.com.

Special Magazine Offer -- Free Gift with Subscription
Receive a free digital copy of Linux Journal's System Administration Special Edition as well as instant online access to current and past issues. CLICK HERE for offer

Linux Journal: delivering readers the advice and inspiration they need to get the most out of their Linux systems since 1994.

Post new comment

The Latest


Coolest Desktop Screenshot Wins Prize	Nov-20-09
More Fun With Bash Quoting	Nov-19-09
IRC Chats with Pidgin!	Nov-19-09
Renaming Groups of Files From the Command Line	Nov-18-09
Introducing OpenShot	Nov-18-09
Tech Tip: Find Directories Over a Certain Size	Nov-17-09

Each week Linux Journal editors will tell you what's hot in the world of Linux. You will receive late breaking news, technical tips and tricks, and links to in-depth stories featured on www.linuxjournal.com.

Tech Tip Videos

IRC Chats with Pidgin!
Nov-19-09
Renaming Groups of Files From the Command Line
Nov-18-09
Mirror the Partner Repo from Canonical
Nov-11-09
Forget Rasterbator, Posterazor!
Nov-04-09

Recently Popular


Coolest Desktop Screenshot Wins Prize	5
Boot with GRUB	4.392855
Chapter 16: Ubuntu and Your iPod	4.58904
Nokia N900: First Look	4.785715
Why Python?	4.52314
Monitoring Hard Disks with SMART	4.70707

December 2009, #188

If last month's Infrastrucuture issue was too "big" for you then try on this month's Embedded issue. Find out how to use Player for programming mobile robots, build a humidity controller for your root cellar, find out how to reduce the boot time of your embedded system, and if you're new to embedded systems find out the basics that go into one. You can also read about the Beagle Board, the Mesh Potato and a spate of other interestingly named items. And along with our regular columns don't miss our new monthly column: Economy Size Geek.

Read this issue

Contribute to the Linux Journal Flickr Pool
Follow Linux Journal on Twitter
Add Linux Journal to your RSS reader
Meet other readers on Facebook
Get Linux Journal Miis