When you create an ssh session, you're using public keys on both sides and you're still using the bad P-RNG in libssl to create a new encrypted session.  Take a look in your ~/.ssh/known_hosts.  All of those that were generated on Debian/Ubuntu systems are 'weak'.  See this part of the advisory:<br> <br>" This includes the automatically generated host keys used by OpenSSH, which are the basis for its server spoofing and man-in-the-middle protection. "<br><br>So yes, even if you're using passwords, you need to update all your debian and ubuntu systems.<br><br>dan<br><br><div class="gmail_quote">On Thu, May 15, 2008 at 8:36 PM, Brett Schubert <<a href="mailto:catsceo@gmail.com">catsceo@gmail.com</a>> wrote:<br> <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Even if I don't use the keys?<br><br><div class="gmail_quote">On Thu, May 15, 2008 at 2:38 PM, Dan Trevino <<a href="mailto:dantrevino@gmail.com" target="_blank">dantrevino@gmail.com</a>> wrote:<br> <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> No.  You need to update your systems.<div><div></div><div><br><br><div class="gmail_quote">On Thu, May 15, 2008 at 1:01 PM, Brett Schubert <<a href="mailto:catsceo@gmail.com" target="_blank">catsceo@gmail.com</a>> wrote:<br> <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> So I should be safe if I use a password login?<div><div></div><div><br><br><div class="gmail_quote">On Thu, May 15, 2008 at 10:04 AM, Neo Taoist Techno Pagan <<a href="mailto:neotaoisttechnopagan@gmail.com" target="_blank">neotaoisttechnopagan@gmail.com</a>> wrote:<br> <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">I haven't heard of any specific situations in which it would be used -<br> yet. But yes, I do use passwordless logins on a few systems - only those<br> here behind my firewall that I have physical access to.<br> <div><br> Brett Schubert wrote:<br> > This sounds like it only affects people who use a passwordless log-in,<br> > right?<br> ><br> > On Thu, May 15, 2008 at 7:27 AM, Neo Taoist Techno Pagan<br> > <<a href="mailto:neotaoisttechnopagan@gmail.com" target="_blank">neotaoisttechnopagan@gmail.com</a><br> </div><div>> <mailto:<a href="mailto:neotaoisttechnopagan@gmail.com" target="_blank">neotaoisttechnopagan@gmail.com</a>>> wrote:<br> ><br> >     Yay - I get to admin all my remote servers today... :-(<br> ><br> >     <a href="http://ubuntu-tutorials.com/2008/05/13/openssh-openssh-vulnerabilities-confirm-fix-instructions/" target="_blank">http://ubuntu-tutorials.com/2008/05/13/openssh-openssh-vulnerabilities-confirm-fix-instructions/</a><br> ><br> ><br> >     --<br> >     Ubuntu-us-fl mailing list<br> </div>>     <a href="mailto:Ubuntu-us-fl@lists.ubuntu.com" target="_blank">Ubuntu-us-fl@lists.ubuntu.com</a> <mailto:<a href="mailto:Ubuntu-us-fl@lists.ubuntu.com" target="_blank">Ubuntu-us-fl@lists.ubuntu.com</a>><br> <div>>     Modify settings or unsubscribe at:<br> >     <a href="https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-fl" target="_blank">https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-fl</a><br> ><br> ><br> <br> <br> </div>--<br> <div><div></div><div>Ubuntu-us-fl mailing list<br> <a href="mailto:Ubuntu-us-fl@lists.ubuntu.com" target="_blank">Ubuntu-us-fl@lists.ubuntu.com</a><br> Modify settings or unsubscribe at: <a href="https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-fl" target="_blank">https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-fl</a><br> </div></div></blockquote></div><br> </div></div><br>--<br> Ubuntu-us-fl mailing list<br> <a href="mailto:Ubuntu-us-fl@lists.ubuntu.com" target="_blank">Ubuntu-us-fl@lists.ubuntu.com</a><br> Modify settings or unsubscribe at: <a href="https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-fl" target="_blank">https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-fl</a><br> <br></blockquote></div><br> </div></div><br>--<br> Ubuntu-us-fl mailing list<br> <a href="mailto:Ubuntu-us-fl@lists.ubuntu.com" target="_blank">Ubuntu-us-fl@lists.ubuntu.com</a><br> Modify settings or unsubscribe at: <a href="https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-fl" target="_blank">https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-fl</a><br> <br></blockquote></div><br> <br>--<br> Ubuntu-us-fl mailing list<br> <a href="mailto:Ubuntu-us-fl@lists.ubuntu.com">Ubuntu-us-fl@lists.ubuntu.com</a><br> Modify settings or unsubscribe at: <a href="https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-fl" target="_blank">https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-fl</a><br> <br></blockquote></div><br>