# Monday, May 19, 2008
« UCNUG Meeting Wednesday Night | Main | Files From Last Week's Launch Event in S... »
Debian OpenSSL Vulnerability

I got this from an issue of the RISKS digest. The real problem is that we don't know what OS is used when we purchase a certificate. It might be a good idea to contact the vendors you have purchased certificates from and make sure that you are not affected by this.

 

DSA-1571-1 openssl -- predictable random number generator Date Reported: 13 May 2008 Affected Packages: openssl

Vulnerable: Yes

Security database references: In Mitre's CVE dictionary: CVE-2008-0166.

 

More information:

 

Luciano Bello discovered that the random number generator in Debian's openssl package is predictable. This is caused by an incorrect Debian-specific change to the openssl package (CVE-2008-0166). As a result, cryptographic key material may be guessable.

 

This is a Debian-specific vulnerability which does not affect other operating systems which are not based on Debian. However, other systems can be indirectly affected if weak keys are imported into them.

 

It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems is recreated from scratch. Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised; the Digital Signature Algorithm relies on a secret random value used during signature generation. ...

 

http://www.debian.org/security/2008/dsa-1571

 

Security
Monday, May 19, 2008 10:31:37 AM (Mountain Standard Time, UTC-07:00)  #    Disclaimer  |  Comments [1]  |  Related posts:
Discussion Over Browser Security
Download Urgent Security Update for Internet Explorer
New Live.com: It’s A Social Network!
Updating and securing machines
Good Sites with Bad Content
Reset Password Link as a Security Threat