Username/Email:  Password: 
TwitterFacebookFlickrRSS

SSL Glitch Unlocks Debian, Ubuntu, & Others

A vulnerability report hit the wire yesterday announcing that a commonly used security package contained a Debian-specific vulnerability rendering it guessable by hackers.

The glitch, discovered in the OpenSSL package — used for the SSL and TSL protocols, as well as other cryptographic applications — was reported by Florian Weimer, a senior Debian developer, and was described as the result of a Debian-specific change in the OpenSSL package, beginning with version 0.9.8c-1, which caused the random-number generator to produce predictable output, rendering the resulting keys insecure. The current and development versions of Debian, as well as derivatives including the Ubuntu family of distributions, are affected, though older versions which have not upgraded to 0.9.8c-1 are not. Non-Debian distributions are not affected.

According to the advisory, a range of security keys, including SSH and VPN keys, and session keys used for SSL/TLS applications generated with OpenSSL-based cryptography as well as affected keys that may have been imported to unaffected systems should be regenerated. Debian has published instructions for rectifying the problem and a detection package to assist in finding affected keys for all users; as of this writing, Ubuntu has pushed out two sets of updates through the Update Manager system to automatically address the problem and assist users in regenerating affected keys.

______________________

Justin Ryan is a Contributing Editor for Linux Journal.

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Plausible Explanation on Slashdot

Aaron Poffenberger's picture

http://tinyurl.com/3muqe9
Good analysis.