Fairly serious Debian security bug

Sandy Harris sandyinchina at gmail.com
Tue May 13 15:11:22 UTC 2008

Does this affect Ubuntu? Is it fixed?

>From that bulletin:

    It is strongly recommended that all cryptographic key material
    which has been generated by OpenSSL versions starting with
    0.9.8c-1 on Debian systems is recreated from scratch.

   Furthermore, all DSA keys ever used on affected Debian systems
   for signing or authentication purposes should be considered
   compromised; ....

    The first vulnerable version, 0.9.8c-1, was uploaded to the
   unstable distribution on 2006-09-17, and has since propagated
   to the testing and current stable (etch) distributions.  ...

Which, if any, Ubuntu versions are affected?

    Affected keys include SSH keys, OpenVPN keys, DNSSEC
    keys, and key material for use in X.509 certificates and
    session keys used in SSL/TLS connections.  Keys generated
    with GnuPG or GNUTLS are not affected, though.

This looks serious. What is the recovery procedure to ensure
any compromised keys are cleaned up?

Sandy Harris,
Nanjing, China

More information about the ubuntu-users mailing list