SSL Glitch Unlocks Debian, Ubuntu, & Others

May 14th, 2008 by Justin Ryan

A vulnerability report hit the wire yesterday announcing that a commonly used security package contained a Debian-specific vulnerability rendering it guessable by hackers.

The glitch, discovered in the OpenSSL package — used for the SSL and TSL protocols, as well as other cryptographic applications — was reported by Florian Weimer, a senior Debian developer, and was described as the result of a Debian-specific change in the OpenSSL package, beginning with version 0.9.8c-1, which caused the random-number generator to produce predictable output, rendering the resulting keys insecure. The current and development versions of Debian, as well as derivatives including the Ubuntu family of distributions, are affected, though older versions which have not upgraded to 0.9.8c-1 are not. Non-Debian distributions are not affected.

According to the advisory, a range of security keys, including SSH and VPN keys, and session keys used for SSL/TLS applications generated with OpenSSL-based cryptography as well as affected keys that may have been imported to unaffected systems should be regenerated. Debian has published instructions for rectifying the problem and a detection package to assist in finding affected keys for all users; as of this writing, Ubuntu has pushed out two sets of updates through the Update Manager system to automatically address the problem and assist users in regenerating affected keys.
__________________________
Justin Ryan is News Editor for LinuxJournal.com.
Submit a tip: Email IRC

Special Magazine Offer -- Free Gift with Subscription
Receive a free digital copy of Linux Journal's System Administration Special Edition as well as instant online access to current and past issues. CLICK HERE for offer

Linux Journal: delivering readers the advice and inspiration they need to get the most out of their Linux systems since 1994.

Plausible Explanation on Slashdot

On May 14th, 2008 Aaron Poffenberger (not verified) says:

http://tinyurl.com/3muqe9
Good analysis.

Post new comment

The Latest


Would You Like Linux With Your Jello?	Jul-03-09
Celebrate the 4th of July From the Command Line	Jul-02-09
Fireworks from the Command Line	Jul-02-09
Tech Tip: Color man Pages	Jul-02-09
Reserve Your Space on the Australian Stage	Jul-01-09
Making Processes Feel Important	Jul-01-09

Each week Linux Journal editors will tell you what's hot in the world of Linux. You will receive late breaking news, technical tips and tricks, and links to in-depth stories featured on www.linuxjournal.com.

Tech Tip Videos

Celebrate the 4th of July From the Command Line
Jul-02-09
Making Processes Feel Important
Jul-01-09
Reading Lots of Text with More and Less
Jun-30-09
Getting User Input in a Shell Script
Jun-29-09

Recently Popular


Would You Like Linux With Your Jello?	5
Why Python?	4.49337
Bash Extended Globbing	4.40909
Fireworks from the Command Line	5
Celebrate the 4th of July From the Command Line	4.57143
Boot with GRUB	4.322915

July 2009, #183

News Flash: Linux Kernel 3.0 to include an on-the-go Expresso machine interface! Ok, maybe not, but Linux is definitely going mobile, from phones to e-readers. Find out more inside about Android, the Kindle 2, the Western Digital MyBook II, The Bug, and Indamixx (a portable recording studio). And if you've gone mobile and you been wanting more Emacs in your life then check out Conkeror.

To compliment the mobile we've got the stationary: parsing command line options with getopt, checking your Ruby code with metric_fu, and building a secure Squid proxy. How is this stationary you ask? What can we say? It's not. We just wanted to see if anybody actually read this part of the page :) .

All this and more, and all you have to do is get your hot sweaty hands on the latest copy of Linux Journal.

Read this issue

Contribute to the Linux Journal Flickr Pool
Follow Linux Journal on Twitter
Add Linux Journal to your RSS reader
Meet other readers on Facebook
Get Linux Journal Miis