[wplug] OpenSSL security vulnerability
Christopher DeMarco
demarco at maya.com
Thu May 15 10:23:32 EDT 2008
On Thu, May 15, 2008 at 03:49:36PM +0200, Patrick Wagstrom wrote:
> I haven't seen any discussion of this, but it's actually very
> important. Some time ago, approximately two years, a single line
> was removed from the Debian installation of OpenSSL. Reading
> around, it looks like it was removed because the line caused a
> problem when profiling the code with Valgrind. Unfortunately, this
> had the nasty side effect of reducing the possible key space to 2^15
> keys instead of 2^1024 possible keys. Yeah, it took two years for
> people to realize this.
[snip]
> complete key sets on the net, and I'd imagine that by this evening
> the 4096 set will be available to download. Thus, if you run a
For the record: This vulnerability was announced on the 13th, so
Patrick's estimate of "this evening" for the next bit (ha!) of
keyspace to hit the 'net.
This is A Big Deal. Drop whatever you're doing and go fix this --
this can be considered on par with disk errors on the urgency scale.
--
Christopher DeMarco <demarco at maya.com>
IT Director
MAYA Group
+1-412-488-2900
More information about the wplug
mailing list