[LUNI] Debian/Ubuntu OpenSSL Random Number Generator Vulnerability

[sean lynch]

Douglas J. Trainor wrote:
>
> Technical Cyber Security Alert TA08-137A yada yada yada
>
> The result of this error is that certain encryption keys are much more
> common than they should be. This vulnerability affects cryptographic
> applications that use keys generated by the flawed versions of the
> OpenSSL package. Affected keys include, but may not be limited to, SSH
> keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509
> certificates and session keys used in SSL/TLS connections. Any of
> these keys generated using the affected systems on or after 2006-09-17
> may be vulnerable. Keys generated with GnuPG, GNUTLS, ccrypt, or other
> encryption utilities that do not use OpenSSL are not vulnerable
> because these applications use their own random number generators.
>
> II. Impact
>
> A remote, unauthenticated attacker may be able to guess secret key
> material. The attacker may also be able to gain authenticated access
> to the system through the affected service or perform
> man-in-the-middle attacks.
debian wiki has a good article following this:
http://wiki.debian.org/SSLkeys

help can also be found here:
http://www.debian.org/security/key-rollover

Including tools to help you find and clean up any mess this may have 
made for you.

SJVN has a pretty frank and honest article on how debian's practice of 
often 'forking' upstream created the problem in the first place:
http://blogs.computerworld.com/fixing_debian_openssl
http://practical-tech.com/operating-system/linux/open-source-security-idiots/

Some people have said he is too harsh. I can see forking being practical 
to help debian deal with the many platforms they support, but they can't 
say they don't have enough time to test. They take as much as they want. 
It was a mistake and should be dealt with honestly. The response from 
the debian team has been swift.

At least things like this are the exception in the Gnu/Linux world, not 
the rule like with other OS's!