Ryan's Inter-Online Web Blog

The best of a bad lot
« Real Time Photo: 0513081800.jpgReal Time Photo: 0510082009.jpg »

Meddling in the affairs of dragons: Debian/Ubuntu OpenSSL PRNG flawed

Permalink 05/13/08 12:54, by Ryan, Categories: Geekery , Tags: , , , , , , , ,

Link: http://wiki.debian.org/SSLkeys

April 2006: OpenSSL pseudorandom number generation code throws valgrind error, and a bug report is filed.[1]

May 2006: New package is released and shipped.

* Don't add uninitialised data to the random number generator. This stop valgrind from giving error messages in unrelated code. (Closes: #363516)[2]

September 2006: Given a second chance to avoid a terrible fate, the bug fix is actually applied:

* Move the modified rand/md_rand.c file to the right place, really fixing #363516.[3]

May 2008: "WHAT THE FUCK... WHO... JESUS HOLY SHIT! OH GOD!"

http://lists.debian.org/debian-security-announce/2008/msg00152.html
https://lists.ubuntu.com/archives/ubuntu-security-announce/2008-May/000705.html

Summary: Any Debian or Ubuntu or derivative system that has generated a key (including SSH host keys!!) within the past two years is... uhh... well, let's just say you're going to want to recreate those keys. Oh, and if you used DSA at all, sorry.

apt-get update && apt-get upgrade ('tho I needed to dist-upgrade due to the openssh-blacklist package being added) will fix your SSH situation under Ubuntu, up to and including regenerating your keys and rejecting connections using bad client keys. ssh-vulnkey can be used to check your authorized_keys. YMMV under Debian, etc. I don't personally use https or other SSL'd services on my Debian/Ubuntu machines at the moment, so I'm not sure how to fix that.

Other software advisories:

SpaceHobo sent along some additional information about how obvious the openssl-team mailing list is. Run, don't walk, to your music store to get Yakety Sax if you aren't already listening to it in your head.

This page has a lot of useful stuff: http://wiki.debian.org/SSLkeys I highly recommend a gander at it, as it generally has better information than this post.

edit: revise wording on apt-get update paragraph to mention that my knowledge is SSH-specific; added other software advisory section. added advogato link from spacehobo. added debian wiki link, made it the master link on this blog entry.

3 comments »

3 comments

Comment from: Charles [Visitor] · http://technomancer.me.uk
*****
Thanks for the heads up on this, I was attempting to procrastinate instead of revising and I now have something important to do.

And because life is like that, the exam for which I should be revising for is Secure Computing.
05/13/08 @ 20:16
Comment from: Randy [Visitor]
*****
Hmmm, so SSL keys generated for our Debian Apache server should be regenerated too?

Ubuntu requires openssh-blacklist be installed with this upgrade. I'd like to 'ssh-vulnkey -a' to see if I should regenerate our web server keys. Is there a Debian openssh-blacklist package available?

http://www.ubuntu.com/usn/usn-612-2
05/14/08 @ 00:01
Comment from: Ryan [Member] Email · http://blog.hoopycat.com/
Randy: I don't have any afflicted web servers, so I'm not totally sure, but I'd say you're probably going to want to regenerate those. However, I don't think ssh-vulnkey will work for anything other than SSH keys (but I could be proven wrong :-)

The Debian announcement has a link to the tool if you wanna give it a spin.

Charles: Humans are always the weakest link. :-)
05/14/08 @ 09:17

Comments are closed for this post.

Blog posts come from a can. They were put there by a man in a factory downtown.

Recent Twitterings

    Stalk me with RSS

    What is RSS?

    Bogroll

      Search the Blog

       

      Support the Beer Fund

      Powered by Linode: Life's too short for crappy hosting

      [Powered by Linode]

      Dehumidifier

      about...

      blog tool

      © 1962-2010 by Ryan Tucker (Public Key)

      Contact | Blog template by Asevo | blog soft | cheap web hosting | adsense