Problems with OpenSSL and OpenSSH
A serious vulnerability has been reported in the Debian and Ubuntu distributions of Linux. The vulnerability is a security problem with OpenSSL and OpenSSH which are used to encrypt your data when connecting to secure web pages and when connecting via ssh to other nodes and servers. The issue has been described as a weakness in the random number generator that is used to create the OpenSSL and OpenSSH cryptographic keys. Apparently the initial cryptographic key was too random and susceptible to brute force attacks.
This is a vulnerability for all Debian and Ubuntu systems installed since 2006. RedHat and other Linux distributions are not impacted by this OpenSSL and OpenSSH vulnerability. Fixes are available and the appropriate Ubuntu packages have already been updated. If you manage Debian and Ubuntu systems, you should consider investigating this issue and upgrading your packages. I pulled down the new packages today and regenerated my SSH cryptographic keys.
Here are four links that will help you test and resolve this vulnerability:
http://www.debian-administration.org/articles/596
http://www.ubuntugeek.com/fix-for-opensslsshvpn-vulnerability-in-ubuntu-704710804.html
http://ubuntu-tutorials.com/2008/05/13/openssh-openssh-vulnerabilities-confirm-fix-instructions/
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/229964
Comments