Slashdot Mirror

← Back to Stories (view on slashdot.org)

Debian Bug Leaves Private SSL/SSH Keys Guessable

Posted by timothy on from the security-is-a-process dept.

SecurityBob writes "Debian package maintainers tend to very often modify the source code of the package they are maintaining so that it better fits into the distribution itself. However, most of the time, their changes are not sent back to upstream for validation, which might cause some tension between upstream developers and Debian packagers. Today, a critical security advisory has been released: a Debian packager modified the source code of OpenSSL back in 2006 so as to remove the seeding of OpenSSL random number generator, which in turns makes cryptographic key material generated on a Debian system guessable. The solution? Upgrade OpenSSL and re-generate all your SSH and SSL keys. This problem not only affects Debian, but also all its derivatives, such as Ubuntu." Reader RichiH also points to Debian's announcement and Ubuntu's announcement.

5 of 670 comments (clear)

  1. Yeah, that'll get people to switch... by Sun.Jedi · · Score: 1, Troll

    So this is how linux is going to replace Windows on the desktop? By creating custom functionality that break RFC and common sense? Some things never change, do they?

  2. Re:Of course... by Anonymous Coward · · Score: 0, Troll

    Yeah, and? What has that got to do with anything? Want some cheese to go with that whine?

    Quit being a cry baby and run 'apt-get upgrade' already. It would have taken you less time than to come in here complain.

  3. Re:It will be fixed by Anonymous Coward · · Score: 0, Troll

    Debian people screwed up. This leaves a huge distaste in my mouth for Debian (and Ubuntu).

    Yeah! Cause you never made a mistake did you. plus this was such an obvious and egregious mistake; any fool could/would have caught it. The Debian distributions are obviously crap.

    Are you kidding me?

  4. Why open source doesn't work for business by holophrastic · · Score: 0, Troll

    So who's accountable for damages as a direct result of such a problem? If I were using such software to run my business, and this sort of security problem became more than just a threat, what sort of recourse do I have? Which programmer do I get to sue?

  5. Re:Ubuntu Gutsy already updated... by Frosty+Piss · · Score: 0, Troll

    Got up this morning, booted the machine and got a software update first thing: OpenSSH (et al) updates for my Ubuntu Gutsy install. Then I show up over here and see why. Presumably Feisty and Hardy got them as well - they are listed on the Ubuntu announcement.
    Thanks for that wonderful insight. Did you also scratch your balls a stroke the morning wood? Please let us know.
    --
    If you want news from today, you have to come back tomorrow.