Commenti a: Vulnerabilità openssh per Debian GNU/Linux http://www.ivan.agliardi.it/2008/05/15/vulnerabilita-openssh-per-debian-gnulinux/ Blog personale di Ivan Agliardi con pagine di informatica, linguaggi, idee... Tue, 03 Jan 2012 10:49:31 +0000 hourly 1 http://wordpress.org/?v=3.3.1 Di: Ivan Agliardi http://www.ivan.agliardi.it/2008/05/15/vulnerabilita-openssh-per-debian-gnulinux/comment-page-1/#comment-53 Ivan Agliardi Sat, 17 May 2008 07:00:33 +0000 http://www.ivan.agliardi.net/?p=202#comment-53 Mi correggo da solo, prima che lo faccia qualcun altro. La segnalazione presa da autorevole portale dedicato ai sysadmin Debian riportava come non Debian specific questo bug. Dopo avere approfondito l'argomento ho scoperto invece che <u>si tratta di un bug assolutamente Debian specific</u>. La prossima volta attingo direttamente ai DSA. Ecco il passaggio del DSA in cui si descrive la natura del bug: Luciano Bello discovered that the random number generator in Debian's openssl package is predictable. This is caused by an incorrect Debian-specific change to the openssl package (CVE-2008-0166). As a result, cryptographic key material may be guessable. This is a Debian-specific vulnerability which does not affect other operating systems which are not based on Debian. However, other systems can be indirectly affected if weak keys are imported into them. It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems is recreated from scratch. Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised; the Digital Signature Algorithm relies on a secret random value used during signature generation. <a href="http://lists.debian.org/debian-security-announce/2008/msg00152.html" rel="nofollow">http://lists.debian.org/debian-security-announce/2008/msg00152.html</a> Mi correggo da solo, prima che lo faccia qualcun altro. La segnalazione presa da autorevole portale dedicato ai sysadmin Debian riportava come non Debian specific questo bug. Dopo avere approfondito l’argomento ho scoperto invece che si tratta di un bug assolutamente Debian specific. La prossima volta attingo direttamente ai DSA.

Ecco il passaggio del DSA in cui si descrive la natura del bug:

Luciano Bello discovered that the random number generator in Debian’s openssl package is predictable. This is caused by an incorrect Debian-specific change to the openssl package (CVE-2008-0166). As a
result, cryptographic key material may be guessable.

This is a Debian-specific vulnerability which does not affect other operating systems which are not based on Debian. However, other systems can be indirectly affected if weak keys are imported into them.

It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems is recreated from scratch. Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised; the Digital Signature Algorithm relies on a secret random value used during signature generation.

http://lists.debian.org/debian-security-announce/2008/msg00152.html

]]>