Debian Security Flaw
The debian security flaw and the supposed attacks were pointed out to me earlier today. There's a blurb about it here on LJ. The US-CERT warning is here. The original debian advisory about the actual bug is here. I say "supposed attacks" cuz if the government says it, I'm skeptical, but that's another can of worms...
Instead of just rehashing what the security advisory says and what evvvverrrrybody else has already said I thought I'd see if I could actually see what the original patch was. Well that didn't really work out, I downloaded the patch referenced from the debian advisory page and took a look at it, but it's got numerous other fixes included and this specific fix was not obvious.
The last changelog entry is:
+openssl (0.9.8c-4etch3) stable-security; urgency=high + + * Re-introducing seeding of the random number generator. Patch from the + maintainer. + + -- .... <....@...> Thu, 08 May 2008 01:58:40 +0200Which based on what I understand about the problem sounds like the culprit. It's also the only entry with about the right date.
So with that I went to the debian subversion repository to see if I could look at the isolated change, without all the other changes. Well, that didn't work out too well either because it doesn't appear to me that the change was ever committed to the repository. Of course, I suspect it has or there's a good reason why it isn't there and I'm just missing something, but it would be nice if somebody could confirm that everything's ok.
Mitch Frazier is an Associate Editor for Linux Journal.
Webinar: 8 Signs You’re Beyond Cron
11am CDT, April 29th
Join Linux Journal and Pat Cameron, Director of Automation Technology at HelpSystems, as they discuss the eight primary advantages of moving beyond cron job scheduling. In this webinar, you’ll learn about integrating cron with an enterprise scheduler.Join us!
|Android Candy: Intercoms||Apr 23, 2015|
|"No Reboot" Kernel Patching - And Why You Should Care||Apr 22, 2015|
|Return of the Mac||Apr 20, 2015|
|DevOps: Better Than the Sum of Its Parts||Apr 20, 2015|
|Play for Me, Jarvis||Apr 16, 2015|
|Drupageddon: SQL Injection, Database Abstraction and Hundreds of Thousands of Web Sites||Apr 15, 2015|
- DevOps: Better Than the Sum of Its Parts
- "No Reboot" Kernel Patching - And Why You Should Care
- Return of the Mac
- Android Candy: Intercoms
- Drupageddon: SQL Injection, Database Abstraction and Hundreds of Thousands of Web Sites
- Designing Foils with XFLR5
- Consent That Goes Both Ways
- diff -u: What's New in Kernel Development
- Non-Linux FOSS: .NET?