[glug-t] Debian fixes serious crypto bug

• From: "Aditya M" <aditya87@xxxxxxxxx>
• To: glug_t@xxxxxxxxxxxxx
• Date: Thu, 15 May 2008 12:59:16 +0530

Debian fixes serious crypto bugLocksmith overtime for sys adminsDebian has
warned of a vulnerability in its cryptographic functions that could leave
systems open to attack.
The use of a cryptographically flawed pseudo random number generator in
Debian's implementation of OpenSSL meant that potentially predictable keys
were generated. Versions of Debian's OpenSSL packages starting with 0.9.8c-1
(released in September 2006) are potentially vulnerable.

Many types of cryptographic keys (including SSH, SSL session keys, OpenVPN
and others) generated on affected systems may be weak, so the impact of the
bug is potentially far reaching.

Sys admins are advised to generate new cryptographic keys after updating
their software, as explained in Debian's
advisory<http://lists.debian.org/debian-security-announce/2008/msg00152.html>.
Security notification firm Secunia
notes<http://secunia.com/advisories/30220/>that Debian's OPenSSL
update also addresses a potential denial of service
risk.

Debian said the flaw arises for a change it alone made in the OpenSSL
package, suggesting that Linux distributions not derived from Debian are
free from the bug. One *Reg* reader has traced the flaw back to an attempt
to silence a 
warning<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=363516>from
a debugging tool. Another has suggested the bug resides within OpenSSL
itself and dates from May 2006, a theory we are currently investigating. (R)


---------------------------------------------------------------
To unsubscribe send a mail to glug_t-request@xxxxxxxxxxxxx with 
'unsubscribe' as subject.

Website: http://glugt.linuxisle.com

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page

• » View list details
• » Manage your subscription