Slashdot Mirror

← Back to Stories (view on slashdot.org)

Debian Bug Leaves Private SSL/SSH Keys Guessable

Posted by timothy on from the security-is-a-process dept.

SecurityBob writes "Debian package maintainers tend to very often modify the source code of the package they are maintaining so that it better fits into the distribution itself. However, most of the time, their changes are not sent back to upstream for validation, which might cause some tension between upstream developers and Debian packagers. Today, a critical security advisory has been released: a Debian packager modified the source code of OpenSSL back in 2006 so as to remove the seeding of OpenSSL random number generator, which in turns makes cryptographic key material generated on a Debian system guessable. The solution? Upgrade OpenSSL and re-generate all your SSH and SSL keys. This problem not only affects Debian, but also all its derivatives, such as Ubuntu." Reader RichiH also points to Debian's announcement and Ubuntu's announcement.

16 of 670 comments (clear)

  1. What's the hurry? by n0dna · · Score: 5, Funny

    It was accidentally introduced in 2006... so that's what, another 14 years before it gets moved into 'stable'?

    *grin*

  2. How Frakin stupid can you be? by nweaver · · Score: 5, Funny

    "You fell for one of the classic blunders, the most famous being 'Never get involved in a land war in Asia' but only slightly less well known is 'Don't use poorly seeded pRNGs in cryptographic protocols!' HAHAHAHAHAHHAHAHAHAHHAHAHAHAHAHA!!!!

    --
    Test your net with Netalyzr
    1. Re:How Frakin stupid can you be? by EricR86 · · Score: 4, Funny

      BUTTERCUP: Who are you?

      MAN IN BLACK: I am no one to be trifled with, that is all you ever need know.

      BUTTERCUP: To think -- all that time it was your cryptographic protocol that was poorly seeded.

      MAN IN BLACK: They were both poorly seeded. I spent the morning downloading a patch to build an immunity to keys being guessed.

  3. Re:stupid stupid stupid by penfold69 · · Score: 5, Funny

    That's funny, I use the exact same seed on my luggage.

    --
    Beer Coat: The invisible but warm coat worn when walking home after a booze cruise at 3 in the morning.
  4. Re:OSS, only as good as the last developer? by Anonymous Coward · · Score: 4, Funny

    Or some sort of voting system on contributors (how very Web 2.0) so you can see how the people who touched your package were rated

    I give anyone who touches my package 5 stars!!!

  5. comics by Anonymous Coward · · Score: 5, Funny

    http://www.random.org/analysis/dilbert.jpg
    http://www.xkcd.com/221/

  6. Re:i wondered what was going on by Anonymous Coward · · Score: 0, Funny

    This has nothing to do with the vulnerability being discussed here. In other words:

    NUH-UH!!
  7. Too early by sakonofie · · Score: 5, Funny
    I realized I probably should be legally required to have a morning cup of coffee before thinking because I am an idiot otherwise.

    I wake up and what do I see first thing? That there is a problem with Debian's OpenSSH package and the /. article links to the following code snippet:

    def init(pipeline, librarian):
              gst.debug_set_default_threshold(gst.LEVEL_ERROR)
    - if gst.element_make_from_uri(gst.URI_SRC, "file://", ""):
    + if gst.element_make_from_uri(
    + gst.URI_SRC,
    + "file:///Sebastian/Droge/please/choke/on/a/bucket/of/cocks", ""):
                      global playlist
                      playlist = PlaylistPlayer(pipeline or "gconfaudiosink", librarian)
                      return playlist

    Now I am thinking, "What exactly is going on here? Is choking on a bucket of cocks not a good source of randomness?"
  8. Re:stupid stupid stupid by Dekortage · · Score: 4, Funny

    Exactly what I was thinking. But it could be interpreted multiple ways: (a) it was criminals; (b) it was terrorists; (c) it was Microsoft.

    --
    $nice = $webHosting + $domainNames + $sslCerts
  9. Re:It will be fixed by truthsearch · · Score: 5, Funny

    My wifes ssh key is "Debian compromised". Talk about an easy key to guess! At least throw in some numbers or something. ;)
    --
    Developers: We can use your help.
  10. Might as well... by GeekDork · · Score: 1, Funny

    OK, this is as good a place as any.

    FUCKING IDIOT NOOB ASSHOLES!!!!!1!

    --

    Fight hunger. Filet a politician and send him to a 3rd world country of your choice.

  11. Re:stupid stupid stupid by Yvanhoe · · Score: 4, Funny

    How is that mutually exclusive ?

    --
    The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
  12. Re:2 years? by Chemisor · · Score: 2, Funny

    Open Source programmers are getting older, and many eyes are getting blurry.

  13. Re:It will be fixed by dotancohen · · Score: 5, Funny

    My wifes ssh key is "Debian compromised" Say thank you that your wife is at least that far. If I dare say ssh in the wife's presence, I get a vase thrown at me and she screams for me to shut the fuck up.
    --
    It is dangerous to be right when the government is wrong.
  14. I guess I'd better change my private key... by corifornia2 · · Score: 0, Funny

    $ cat ~/.ssh/id_rsa
    -----BEGIN RSA PRIVATE KEY-----
    7
    ------END RSA PRIVATE KEY------


    Yipes.

  15. Re:It will be fixed by BooRolla · · Score: 5, Funny

    Don't go bragging. A lot of people know the key to rooting your wife's box.