[nSLUG] debian/ubuntu ssl security (CVE-2008-0166)

Jon Watson me at jonwatson.ca
Mon May 19 14:41:15 ADT 2008


On Mon, May 19, 2008 at 2:38 PM, George N. White III <gnwiii at gmail.com>
wrote:

> <http://www.debian.org/security/2008/dsa-1571>
>
> "Luciano Bello discovered that the random number generator in Debian's
> openssl package is predictable. This is caused by an incorrect
> Debian-specific change to the openssl package (CVE-2008-0166). As a
> result, cryptographic key material may be guessable."
>
> Debian Wiki: <http://wiki.debian.org/SSLkeys>
>
> "A discussion of why this change was made can be found at #363516 and
> also on the openssl-dev list. Judging from the discussion there, the
> main culprit seems to be a misunderstanding about which is the right
> list to ask this question on, followed by misleading answers from the
> list."
>


I heard about this in the LJ IRC channel and was told that *buntu 8.04 was
safe as it used a later
version of OpenSSL. However, upon doing a system update recently, I found
that wasn't the case
because I had carried keys over from who knows how long ago. So, just food
for though, I guess
for those of us who are running newer versions of openssl with keys that
were generated
with previous versions.

Jon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nslug.ns.ca/mailman/private/nslug/attachments/20080519/267d2320/attachment-0001.html>


More information about the nSLUG mailing list