SSL Glitch Unlocks Debian, Ubuntu, & Others
May 14th, 2008 by Justin Ryan
A vulnerability report hit the wire yesterday announcing that a commonly used security package contained a Debian-specific vulnerability rendering it guessable by hackers.
The glitch, discovered in the OpenSSL package — used for the SSL and TSL protocols, as well as other cryptographic applications — was reported by Florian Weimer, a senior Debian developer, and was described as the result of a Debian-specific change in the OpenSSL package, beginning with version 0.9.8c-1, which caused the random-number generator to produce predictable output, rendering the resulting keys insecure. The current and development versions of Debian, as well as derivatives including the Ubuntu family of distributions, are affected, though older versions which have not upgraded to 0.9.8c-1 are not. Non-Debian distributions are not affected.
According to the advisory, a range of security keys, including SSH and VPN keys, and session keys used for SSL/TLS applications generated with OpenSSL-based cryptography as well as affected keys that may have been imported to unaffected systems should be regenerated. Debian has published instructions for rectifying the problem and a detection package to assist in finding affected keys for all users; as of this writing, Ubuntu has pushed out two sets of updates through the Update Manager system to automatically address the problem and assist users in regenerating affected keys.
__________________________
Justin Ryan is News Editor for LinuxJournal.com.
Submit a tip: Email IRC
Special Magazine Offer -- 2 Free Trial Issues!
Receive 2 free trial issues of Linux Journal as well as instant online access to current and past issues. There's NO RISK and NO OBLIGATION to buy. CLICK HERE for offer
Linux Journal: delivering readers the advice and inspiration they need to get the most out of their Linux systems since 1994.
Sorry, offer available in the US only. International orders, click here.
Delicious
Digg
Reddit
Newsvine
TechnoratiSubscribe now!
Recently Popular
| Linux HOWTO: Video Editing Magic with ffmpeg | Jul-23-08 |
| The new business of free radio | Jul-24-08 |
| Why We Must React to ACTA | Jul-24-08 |
| Chapter 16: Ubuntu and Your iPod | Aug-30-06 |
| Boot with GRUB | May-01-01 |
| Building a Call Center with LTSP and Soft Phones | Aug-25-05 |
Featured Videos
Non-linear video editing tools are great, but they're not always the best tool for the job. This is where a powerful tool like ffmpeg becomes useful. This tutorial by Elliot Isaacson covers the basics of transcoding video, as well as more advanced tricks like creating animations, screen captures, and slow motion effects.
Shawn Powers reviews the HP Mini-Note portable computer.
Thanks to our sponsor: Silicon Mechanics
Silicon Mechanics is a leading manufacturer of rackmount servers, storage, and high performance computing hardware. The best warranty offerings available are backed by experts dedicated to customer satisfaction.
From the Magazine
August 2008, #172
There's nuttin like a Cool Project to give you some relief from the summer heat, so get out your parka cuz we got a bunch of em. First up is the BUG, not a bug, The BUG. It's got a GPS, camera and more, in a hand-sized package that's user programmable. The BUG does everything. It's both a floor wax and a dessert topping. Get one now. Need a software version of a Swiss Army knife? Take a look at Billix, and don't leave home without it. Then, chew on this one, an X server on a Gumstix device driving an E-Ink display. Need more storage? How about 16 Terabytes? Can do.
And, of course, we have the usual cast of characters: Marcel, Reuven, Dave, Kyle, Doc, plus the new kid on the block Shawn Powers. But it doesn't stop there: build a MythTV box on a budget, build your own GIS system, set up the tools to monitor your enterprise and more. Finally, remember The War of the Worlds? Now you can play too.
Plausible Explanation on Slashdot
On May 14th, 2008 Aaron Poffenberger (not verified) says:
http://tinyurl.com/3muqe9
Good analysis.