[wplug] OpenSSL security vulnerability
Michael Semcheski
mhsemcheski at gmail.com
Thu May 15 11:19:07 EDT 2008
I want to clarify something here:
This affects not just the server keys, but also any user keys that may have
been generated (e.g., id_rsa).
Thus, if you have an authorized_keys entry for a key generated from an
Ubuntu or Debian system, the prudent thing is probably to delete it, and
regenerate your user keys.
Mike
On Thu, May 15, 2008 at 10:49 AM, Christopher DeMarco <demarco at maya.com>
wrote:
> On Thu, May 15, 2008 at 10:32:09AM -0400, Brian Sammon wrote:
>
> > > I haven't seen any discussion of this, but it's actually very
> important.
> > > Some time ago, approximately two years, a single line was removed from
> the
> > > Debian installation of OpenSSL. Reading around, it looks like it was
> > > removed because the line caused a problem when profiling the code with
> > > Valgrind. Unfortunately, this had the nasty side effect of reducing
> the
> > > possible key space to 2^15 keys instead of 2^1024 possible keys. Yeah,
> it
> >
> > Reference?
>
> The horse's mouth, as it were...
>
> http://www.debian.org/security/2008/dsa-1576
>
>
> --
> Christopher DeMarco <demarco at maya.com>
> IT Director
> MAYA Group
> +1-412-488-2900
>
> _______________________________________________
> wplug mailing list
> wplug at wplug.org
> http://www.wplug.org/mailman/listinfo/wplug
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.wplug.org/pipermail/wplug/attachments/20080515/5d3b991a/attachment.html
More information about the wplug
mailing list