Slashdot Mirror

← Back to Stories (view on slashdot.org)

Debian Bug Leaves Private SSL/SSH Keys Guessable

Posted by timothy on from the security-is-a-process dept.

SecurityBob writes "Debian package maintainers tend to very often modify the source code of the package they are maintaining so that it better fits into the distribution itself. However, most of the time, their changes are not sent back to upstream for validation, which might cause some tension between upstream developers and Debian packagers. Today, a critical security advisory has been released: a Debian packager modified the source code of OpenSSL back in 2006 so as to remove the seeding of OpenSSL random number generator, which in turns makes cryptographic key material generated on a Debian system guessable. The solution? Upgrade OpenSSL and re-generate all your SSH and SSL keys. This problem not only affects Debian, but also all its derivatives, such as Ubuntu." Reader RichiH also points to Debian's announcement and Ubuntu's announcement.

13 of 670 comments (clear)

  1. You stupid god damned open sourcers by Anonymous Coward · · Score: -1, Troll

    You told me your OS was secure, and you leave in huge HUGE hole like this? For 2 god damned YEARS?

    Windows here I come. At least someone would be accountable for shit work like this.

  2. Re:It will be fixed by tuxgeek · · Score: -1, Troll
    Considering that this is in the daylight now, it has probably already been fixed.

    Nothing to see here, move along ...

    --
    "Suppose you were an idiot...and suppose you were a member of Congress...but I repeat myself." Mark Twain
  3. Yeah, that'll get people to switch... by Sun.Jedi · · Score: 1, Troll

    So this is how linux is going to replace Windows on the desktop? By creating custom functionality that break RFC and common sense? Some things never change, do they?

  4. Re:Of course... by Anonymous Coward · · Score: 0, Troll

    Yeah, and? What has that got to do with anything? Want some cheese to go with that whine?

    Quit being a cry baby and run 'apt-get upgrade' already. It would have taken you less time than to come in here complain.

  5. Only took 2 Years by MikeyG79 · · Score: -1, Troll

    Funny how 2 years after the fact people make a big fuss over it.

  6. Strikes at the heart of the matter by Anonymous Coward · · Score: -1, Troll

    This is why I only use software that is cryptographically signed by Windows Update; that way there's someone to sue if critical security flaws are "updated" into my system. Laugh all you want at the Genuine Advantage, I think this story proves it exists.

  7. Question by Anonymous Coward · · Score: -1, Troll

    Wasn't FOSS suppose to prevent these types of problems in the first place?

  8. Re:It will be fixed by Anonymous Coward · · Score: 0, Troll

    Debian people screwed up. This leaves a huge distaste in my mouth for Debian (and Ubuntu).

    Yeah! Cause you never made a mistake did you. plus this was such an obvious and egregious mistake; any fool could/would have caught it. The Debian distributions are obviously crap.

    Are you kidding me?

  9. Why open source doesn't work for business by holophrastic · · Score: 0, Troll

    So who's accountable for damages as a direct result of such a problem? If I were using such software to run my business, and this sort of security problem became more than just a threat, what sort of recourse do I have? Which programmer do I get to sue?

  10. Affected programs by Anonymous Coward · · Score: -1, Troll

    Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 certificates and session keys used in SSL/TLS connections. .. so basically every form of cryptography we use in daily business is compromised as we're running debian almost exclusively. WHO THE HELL LET THIS KIND OF FUCKUP TO HAPPEN?!?

    I think this is the last straw for us on linux, the last kernel exploit was bad enough. Moving to OpenBSD asap.

  11. Re:Ubuntu Gutsy already updated... by Frosty+Piss · · Score: 0, Troll

    Got up this morning, booted the machine and got a software update first thing: OpenSSH (et al) updates for my Ubuntu Gutsy install. Then I show up over here and see why. Presumably Feisty and Hardy got them as well - they are listed on the Ubuntu announcement.
    Thanks for that wonderful insight. Did you also scratch your balls a stroke the morning wood? Please let us know.
    --
    If you want news from today, you have to come back tomorrow.
  12. Re:stupid stupid stupid by Anonymous Coward · · Score: -1, Troll

    valgrind complained about this use of an output buffer for input.
    Will you please quit making up terminology like "output buffer", as if to say that some memory is somehow designated write-only? The buffer is uninitialized , not an "output buffer"... Memory is memory is memory, and valgrind is only checking to see if it's been properly written before.
  13. Re:It will be fixed by Anonymous Coward · · Score: -1, Troll

    your bitch is a bitch.
    leave her before she fucks you out of your house and home.
    Sell it out from under her.