[nSLUG] debian/ubuntu ssl security (CVE-2008-0166)
me at jonwatson.ca
Mon May 19 14:41:15 ADT 2008
On Mon, May 19, 2008 at 2:38 PM, George N. White III <gnwiii at gmail.com>
> "Luciano Bello discovered that the random number generator in Debian's
> openssl package is predictable. This is caused by an incorrect
> Debian-specific change to the openssl package (CVE-2008-0166). As a
> result, cryptographic key material may be guessable."
> Debian Wiki: <http://wiki.debian.org/SSLkeys>
> "A discussion of why this change was made can be found at #363516 and
> also on the openssl-dev list. Judging from the discussion there, the
> main culprit seems to be a misunderstanding about which is the right
> list to ask this question on, followed by misleading answers from the
I heard about this in the LJ IRC channel and was told that *buntu 8.04 was
safe as it used a later
version of OpenSSL. However, upon doing a system update recently, I found
that wasn't the case
because I had carried keys over from who knows how long ago. So, just food
for though, I guess
for those of us who are running newer versions of openssl with keys that
with previous versions.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the nSLUG