Debian, Ubuntu flawed for two years
A RESEARCH POSTING to the Debian security list last week has led to the confirmation of a serious hole in two flavours of the Open Sauce Linux operating system.
Frederick Lee, a researcher at insecurity company Fortify, said that the flaw, which affects Ubuntu as well as Debian, had been "seriously underestimated " as it makes the Secure Sockets Layer (SSL) of the two Linux sustems vulnerable to malicious attack.
"We're calling this vulnerability 'insecure randomness' since it allows an attacker to predict the SSL cryptographic keys used for supposedly secure online transactions," he said.
Lee reckons that the flaw, which tinkers with the randomness engine used to encrypt secure transactions, could be used to intercept traffic between a user and supposedly secure connection between a user and, for example, an online banking site. µ
L'Inq
Debian
Share this:
Business Intelligence Software
Customer Relationship Management (CRM)
Enterprise Accounting Software
Enterprise Resource Planning (ERP)
Enterprise Systems Management
Is this an accident?

Err... yes. (ex sub ed)
http://www.ubuntu.com/community/ubuntustory/Debian
you could also say it's already fixed.
So that's why ubuntu patched ssl yesterday. Makes you think. They patch it faster than I read it on the Inq. Can't be said about the other 2 OS vendors.
And Debian, the Ubuntu upstream provider fixed it last week.

Although I won't go into the fun we're having getting SSL certificates reissued!
"The problematic OpenSSL code appeared in the Debian unstable distribution on September 17, 2006 and has since been propagated into the current stable and testing distributions named Etch"

Come on, Deimios... Perhaps you didn't take your time to read neither the title of the article nor the previous one, which is linked to this page.

If 2 years of "oh, let's deal with it later" OR "huh? SSL flaw? What's that?" is your definition of "fixing faster than the 2 other OS vendors" then you deserve something flawed.

But, since they have SOOO many dozens of millions of people using their distros everyday (*sarcastic*), perhaps they don't need to come with a fix anytime soon.

Every OS has its own flaws - even your almighty-free-super-hero Linux distros. Ubuntu is nice, but... Get over it.
Patching is not enough. All keys made with this stuff must be replaced. All stuff encrypted with this stuff must be re-encrypted. This can be a big problem for some.
Fortunately those 2 years lasted only a few days in terrestrial time.
... 2 YEARS! I thought the bug fix turnaround was supposed to be quicker because it was open source... well, at least good job for fixing the problem at all. 

If Microsoft did this, there would be class action lawsuit in the US, the EU, and everywhere else in the world. Since it's Ubuntu and Debian, nobody really cares because nobody uses Linux
I see that there is another storm in a teacup , about security on Ubuntu.

Wake me up when Ubuntu gets anywhere near as bad as Microsoft.
I actually went and read the article again , and noticed that it is Open Sauce and not Open Source that is a problem!
Ubuntu is getting as bad as Windows every day and they even claim they are working to it.
straight from the horse's mouth : 

"the Ubuntu project attempts to work with Debian to address the issues that keep many users from using Debian."

I would rephrase it as :the Ubuntu project attempts to get people who should never administrate a computer because they don't have a clue do so. 

Instead of teaching users how to properly administrate a computer and understand what they do, Ubuntu give them all the tools that let ignorants play with thing that ar far beyond them... Just like windows does.

btw, the 2 years stuff is nothing like a storm in a tea cup. That is just telling the world that Debian (and by implication Ubuntu) package integration process (and security testing as a matter of fact) is crap. Also nothing is fixed until all certificate a regenerated which will take a long time... 

And don't get me wrong, i'm a longtime GNU/Linux user and I do like GNU/Linux. I strongly beleive that minimizing the importance of what this flaw reveals is just getting part of the linux community as stupid as microsoft devots...