All stories eventually come true - Douglas Hayward
|
|
|
OpenSSL bug found in Debian Linux
DEBIAN LINUX got a bit of a black eye Tuesday with the announcement that a nasty cryptographic vulnerability exists in its version of the OpenSSL package.
Debian, especially its stable branch, is widely regarded as perhaps the most bulletproof Linux distribution. Legend has it that wizened European Debian gnomes painstakingly fit together each version using well polished hand tools inherited from their watchmaking and marquetry woodcrafting forefathers.
Debian also has the not undeserved reputation of being difficult for those new to Linux to install and manage.
The Debian maintainers apparently created the vulnerability by deleting code that seeded the random number generation used to calculate encryption keys.
The result was that the random number generator used in Debian's OpenSSL package was predictable, leading to cryptographic keys that might guessable.
Debian Security Advisory DSA-1571-1 states: "Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 certificates and session keys used in SSL/TLS connections. Keys generated with GnuPG or GNUTLS are not affected, though."
The advisory also publishes the URLs for a detector of weak encryption keys, as well as the location of instructions about how to implement key rollover.
The vulnerability only exists in Debian and Debian derived Linux systems, but those also include the Ubuntu versions of Linux that have lately become quite popular among casual desktop Linux users.
The problematic OpenSSL code appeared in the Debian unstable distribution on September 17, 2006 and has since been propagated into the current stable and testing distributions named Etch. The previous stable Debian distribution named Sarge is not affected.
Many Debian Linux desktop users shouldn't be affected by this Secure Sockets Layer (SSL) bug unless they've generated cryptographic keys for Secure Shell (SSH) access between systems or digital signing or authentication certificates.
However, techies who administrate Debian based Linux systems that traffic in certificates might be scurrying about somewhat in coming days as they apt-get the upgraded OpenSSL package and regenerate and roll over cryptographic keys and certificates. µ
See Also
INQUIRER
guide to free operating systems
Three
flavours of Open Source distros reviewed
L'Inqs
Gmane
Share this:
Share
Fixed for those who haven't generated any keys since, what, umm, September 2006? In the mean time, have fun regenerating new keys.
Surely the issue is only fixed if you have replaced guessable keys? Or if you didn't have any keys in the first place? If I were a Debian or Debian-derived distro user, I'd be regenerating my keys about now...
My Ubuntu 8.04 received the update fix notification, downloaded and repaired well before I came across this article. The benfits of Open Source.
My Ubuntu 8.04 system had received the notification, downloaded and fixed it before I came across this article. The benefits of Open Source.
Now that we´ve had a vulnerability exposed in Debian Linux, the Windows people are going to jump all over it. Never mind that most of the Windows security is based on their own version of the,¨Don´t ask, don´t tell¨ policy. Except of course, in this case, Windows users are getting screwed instead of US military people. ;)
Its fixed and security updates are already available for Ubuntu... should be available for debian too.
Since (at least) last night, when Ubuntu (and likely most other debian-based distros) ran its auto-upate.

Say, can't you find some real news?