[Uaflug] Debian SSH Advisory...
Orion Sky Lawlor
ffosl at uaf.edu
Tue May 13 15:11:54 AKDT 2008
No other distributions are at risk--it's a Debian-caused
problem: "This is caused by an incorrect Debian-specific change to
the openssl package (CVE-2008-0166)."
So Debian, Ubuntu, and Knoppix users have to patch; Gentoo, RedHat,
Fedora, etc are safe (from this bug!).
--
-Orion Sky Lawlor
http://lawlor.cs.uaf.edu/~olawlor/ ffosl at uaf.edu
On Tue, 13 May 2008, roger wrote:
> Should of got Gentoo? ;-)
>
> Nothing posted within (Gentoo) GLSA's yet.
> http://www.gentoo.org/security/en/index.xml
>
>
> On Tue, 2008-05-13 at 14:29 -0800, Orion Sky Lawlor wrote:
> > Debian screwed up the openSSH key generation algorithm in 2007,
> > so SSH keys generated with Ubuntu 7.04, 7.10, and 8.04 are weak,
> > coming from a small set of known "blacklisted" keys that are fairly
> > easy to bruteforce.
> >
> > They realized the bug 2008-05-13:
> > http://article.gmane.org/gmane.linux.debian.security.announce/1614
> > http://www.ubuntu.com/usn/usn-612-2
> >
> > Debian/Ubuntu users, upgrade your packages! The new package
> > "ssh-vulnkey" will look for weak "blacklisted" keys on your machine.
> > I'm a big Ubuntu fan, and I found a few bad keys on my machines!
>
> --
> Roger
> http://www.eskimo.com/~roger/index.html
>
More information about the uaflug
mailing list