Debian OpenSSL Random Number Generator Bug

Uncategorized — Антон Марчуков @ 15.05.08 1:58


If you still missed this. Luciano Bello discovered that the random number generator in Debian’s openssl package is predictable. This is caused by an incorrect Debian-specific change to the openssl package (CVE-2008-0166). As a result, cryptographic key material may be guessable.

You obligatory need to do the following:

1) Upgrade openssl package and not forget about libopenssl.
2) Regenerate all SSL keys that was generated on Debian systems starting from 2006-09-17 by OpenSSL library. This includes SSH keys, OpenVPN keys, DNSSEC keys and others, see key rollover page for details. Do not forget that your users may use key-based authorization and may also have weak keys installed themselves.

This problem affects only Debian systems and its derivatives including Ubuntu.

GPG is not affected cause it does not use OpenSSL. Same for GnuTLS.

See Debian Security Advisory DSA-1571-1 for more details.

P.S.: and yeah, shit happens.


Leave a comment


This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.
(c) 2017 Anton Martchukov's Weblog | powered by WordPress with Barecity