Openssh vulnerability for Debian GNU / Linux
15 maggio 2008, 0:35 Announcements , Bugs , News , Open Source May 15, 2008, 00:35
This time the vulnerability reported by Debian Security Advisory Team is one of those who have to run for cover - it must be said - even the most sysadmin easy!
As rarely happens, this time the problem is specific to the Linux distro, even if it is an indirect consequence of the bug is not Debian-specific application OpenSSH discovered a few days ago. To put it succinctly, all user and host keys generated for each SSH connection from `package` openssh buggy are completely unreliable, since their generation did not occur according to a randomization algorithm is valid and therefore easily "predictable".
To wise people, I attach at the bottom of this post the release of the DSA.
Solve the problem is still a breeze. You simply run:
apt-get dist-upgrade
and confirm the prompt that I reproduce below:
Here, finally, the Debian Security Advisory DSA-1576-1 . Happy reading!
May 17, 2008 at 9:00 am
I stand corrected by himself, before someone else does. The signal taken from an authoritative website dedicated to Debian sysadmin reported this bug as Debian specific. After having examined the subject I found instead that it is a very Debian specific bug. The next time I draw directly to the DSA.
Here is the passage of the DSA, which describes the nature of the bug:
Luciano Bello Discovered That the random number generator in Debian's openssl package is predictable. This is Caused by an incorrect Debian-specific change to the openssl package (CVE-2008-0166). As a
result, cryptographic key material may be guessable.
This is a Debian-specific vulnerability Which does not Affect Which other operating systems are not based on Debian. However, other systems can be affected if weak keys agenzie are imported into them.
It is strongly recommended cryptographic key material to That Which has-been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems is recreated from scratch. Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication Purposes Should Be Considered compromised, the Digital Signature Algorithm relies on a secret random value used During signature generation.
http://lists.debian.org/debian-security-announce/2008/msg00152.html