[Wlug] Debian/*ubuntu security bug and a question...
Lee Keyser-Allen
lkeyser at alum.wpi.edu
Thu May 15 11:39:53 EDT 2008
Brian,
This particular problem is only related (as far as I can tell) to RSA
key generation. If you've not done this, then you should be okay. I
would still recommend bringing your OpenSSL lib up-to-date, as it is,
indeed, used for secure web browsing as well (although firefox may
statically link with it's own version to avoid just such problems ...
)
So yeah, in short, if you don't have a key that you use to sign e-mail
or for access to another computer, then you're probably fine. This is
still probably of interest to the rest of the group, though, since
there was recently a key-signing party, and with the proliferation of
Ubuntu and Debian, I'm betting that a significant number of those keys
will be compromised.
Cheers,
Lee
On Thu, May 15, 2008 at 11:34 AM, Brian A. Dewhirst
<b.dewhirst at gmail.com> wrote:
> On Thu, May 15, 2008 at 10:39 AM, Theo Van Dinter <felicity at kluge.net> wrote:
>> On Thu, May 15, 2008 at 10:32:32AM -0400, Brian A. Dewhirst wrote:
>>> I'm afraid my head spins a bit when I try to make sense of what
>>> corrective measures should be taken... has Ubuntu already rolled out a
>>> bug fix which will take care of the problem? If not, what needs to be
>>> done to fix my machine?
>>
>> In short if you've generated any keys with OpenSSL (ie: certificates,
>> ssh keys, etc,) on Debian or its derivatives at anytime in at least the
>> last 2 years, you will want to regenerate them after you upgrade to the
>> fixed version.
>>
>> Updating will solve the weak key generation issue, but not do anything about
>> the already generated keys in use.
>
> Well, pretend you're talking to a linux novice for a minute... does
> that mean that if I don't think I've done any cryptography that I'm
> fine, or is OpenSSL used for lots of other programs... for example,
> does Firefox use it when someone logs into their checking account?
> _______________________________________________
> Wlug mailing list
> Wlug at mail.wlug.org
> http://mail.wlug.org/mailman/listinfo/wlug
>
--
Lee Keyser-Allen
(lkeyser at alum.wpi.edu)
More information about the Wlug
mailing list