[Wlug] Debian/*ubuntu security bug and a question...
Chuck Anderson
cra at WPI.EDU
Thu May 15 13:15:02 EDT 2008
On Thu, May 15, 2008 at 10:39:51AM -0400, Theo Van Dinter wrote:
> On Thu, May 15, 2008 at 10:32:32AM -0400, Brian A. Dewhirst wrote:
> > I'm afraid my head spins a bit when I try to make sense of what
> > corrective measures should be taken... has Ubuntu already rolled out a
> > bug fix which will take care of the problem? If not, what needs to be
> > done to fix my machine?
>
> In short if you've generated any keys with OpenSSL (ie: certificates,
> ssh keys, etc,) on Debian or its derivatives at anytime in at least the
> last 2 years, you will want to regenerate them after you upgrade to the
> fixed version.
>
> Updating will solve the weak key generation issue, but not do anything about
> the already generated keys in use.
Also, if you've used SSH Password Authentication to log into to any
system whose SSH host keys were generated with the vulnerable OpenSSL
(likely any Debian, Ubuntu, or derivative systems), then you should
change your password. Any data that was transferred over SSH to a
system with a vulnerable key could have been compromised.
More information about the Wlug
mailing list