SSL Glitch Unlocks Debian, Ubuntu, & Others

A vulnerability report hit the wire yesterday announcing that a commonly used security package contained a Debian-specific vulnerability rendering it guessable by hackers.

The glitch, discovered in the OpenSSL package — used for the SSL and TSL protocols, as well as other cryptographic applications — was reported by Florian Weimer, a senior Debian developer, and was described as the result of a Debian-specific change in the OpenSSL package, beginning with version 0.9.8c-1, which caused the random-number generator to produce predictable output, rendering the resulting keys insecure. The current and development versions of Debian, as well as derivatives including the Ubuntu family of distributions, are affected, though older versions which have not upgraded to 0.9.8c-1 are not. Non-Debian distributions are not affected.

According to the advisory, a range of security keys, including SSH and VPN keys, and session keys used for SSL/TLS applications generated with OpenSSL-based cryptography as well as affected keys that may have been imported to unaffected systems should be regenerated. Debian has published instructions for rectifying the problem and a detection package to assist in finding affected keys for all users; as of this writing, Ubuntu has pushed out two sets of updates through the Update Manager system to automatically address the problem and assist users in regenerating affected keys.