Debian Security Flaw

The debian security flaw and the supposed attacks were pointed out to me earlier today. There's a blurb about it here on LJ. The US-CERT warning is here. The original debian advisory about the actual bug is here. I say "supposed attacks" cuz if the government says it, I'm skeptical, but that's another can of worms...

Instead of just rehashing what the security advisory says and what evvvverrrrybody else has already said I thought I'd see if I could actually see what the original patch was. Well that didn't really work out, I downloaded the patch referenced from the debian advisory page and took a look at it, but it's got numerous other fixes included and this specific fix was not obvious.

The last changelog entry is:

+openssl (0.9.8c-4etch3) stable-security; urgency=high
+
+  * Re-introducing seeding of the random number generator.  Patch from the
+    maintainer.
+
+ -- .... <....@...>  Thu, 08 May 2008 01:58:40 +0200
Which based on what I understand about the problem sounds like the culprit. It's also the only entry with about the right date.

So with that I went to the debian subversion repository to see if I could look at the isolated change, without all the other changes. Well, that didn't work out too well either because it doesn't appear to me that the change was ever committed to the repository. Of course, I suspect it has or there's a good reason why it isn't there and I'm just missing something, but it would be nice if somebody could confirm that everything's ok.

______________________

Mitch Frazier is an Associate Editor for Linux Journal.

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState