OpenSSL vuln: Debian/Ubuntu

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

The basic idea of it is Debian butchered their Openssl suite and it's been
turning out weak/breakable keys. Since OpenSSL versions starting with
0.9.8c-1. The Sans article focuses on OpenSSH, but it's really deeper.
The Debian page talks about OpenSSL.

"Furthermore, all DSA keys ever used on affected Debian systems for
signing or authentication purposes should be considered compromised; the
Digital Signature Algorithm relies on a secret random value used during
signature generation."

"It is strongly recommended that all cryptographic key material which has
been generated by OpenSSL versions starting with 0.9.8c-1 on Debian
systems is recreated from scratch. Furthermore, all DSA keys ever used on
affected Debian systems for signing or authentication purposes should be
considered compromised;"

 [** America, the police state **]
Whoooose! What's that noise? Why, it's US citizen's
rights, going down the toilet with Bush flushing. /

Re: OpenSSL vuln: Debian/Ubuntu

Quoted text here. Click to load it

Anything that uses OpenSSL generated keys or links to the defective
Debian openssl libraries needs to be replaced. This could be your ssh
keys, keys made for TLS mail transfer, self-generated certificates for
your web site, etc.


John (

Re: OpenSSL vuln: Debian/Ubuntu

Okay, I've gotta say, I really love Debian's effect on the linux
community as a whole, but for the love of god how did they let
something based on this:

Quote from the coder:

What I currently see as best option is to actually comment out
those 2 lines of code.  But I have no idea what effect this
really has on the RNG.  The only effect I see is that the pool
might receive less entropy.  But on the other hand, I'm not even
sure how much entropy some unitialised data has.

...into the frigging distribution?  Talk about a stupid mistake!

Re: OpenSSL vuln: Debian/Ubuntu

I demand that Damo Gets may or may not have written...

Quoted text here. Click to load it

Some people think that the key to what happened here is the use and
understanding of the word "debugging".

Debian packages, at least the C or C++ parts, are normally built with "-O2
-g", though with many packages, the debug info is then thrown away. The
intent being that you can use the same package for normal use *and*
debugging. It's reasonable to assume, therefore, that this is what Kurt
Roeckx meant (despite the lack of any libssl*-dbg package).

OpenSSL upstream, however, may well have understood it as a throwaway build
for debugging purposes, with (and here's the really important bit) the
changes made for debuggability also being thrown away afterwards. It isn't
clear from Ulf Möller's follow-up message which is meant: "if it helps with
debugging, I'm in favor (sic) of removing them".

And I'm in favour of leaving in changes which are useful for debugging,
though not necessarily of leaving them active by default. :-)

| Darren Salt    | linux or ds at              | nr. Ashington, | Toon
| RISC OS, Linux | youmustbejoking,demon,co,uk | Northumberland | Army
| + At least 4000 million too many people. POPULATION LEVEL IS UNSUSTAINABLE.

You have literary talent that you should take pains to develop.

Site Timeline