Fairly serious Debian security bug
sandyinchina at gmail.com
Tue May 13 15:11:22 UTC 2008
Does this affect Ubuntu? Is it fixed?
>From that bulletin:
It is strongly recommended that all cryptographic key material
which has been generated by OpenSSL versions starting with
0.9.8c-1 on Debian systems is recreated from scratch.
Furthermore, all DSA keys ever used on affected Debian systems
for signing or authentication purposes should be considered
The first vulnerable version, 0.9.8c-1, was uploaded to the
unstable distribution on 2006-09-17, and has since propagated
to the testing and current stable (etch) distributions. ...
Which, if any, Ubuntu versions are affected?
Affected keys include SSH keys, OpenVPN keys, DNSSEC
keys, and key material for use in X.509 certificates and
session keys used in SSL/TLS connections. Keys generated
with GnuPG or GNUTLS are not affected, though.
This looks serious. What is the recovery procedure to ensure
any compromised keys are cleaned up?
More information about the ubuntu-users