Hopefully by now most debian sysadmins have updated their systems and regenerated any weak openssl keys found. After the disclosure from last week, the debian team has done a great job to identify any possible affected program and any type of key, and for sure there are many .
Special pages were created to help peoples migrate their keys and also to identify if their keys are weak or not. In my previous post I have discussed howto indentify and regenerate the ssh vulnerable keys, obviously the most targeted by attacks against this issue. This post will answer the questions I have received on email on how you can identify and regenerate apache PEM keys (SSL certificates).

Read the rest of this entry »

Yesterday, 13 May 2008, was a really bad day for the Debian project, probably one of the worst days in the history of Debian. Luciano Bello discovered that the random number generator in Debian’s openssl package is predictable. This is caused by an incorrect Debian-specific change to the openssl package (CVE-2008-0166). As a result, cryptographic key material may be guessable.

Systems which are running any of the following releases are affected :

• Debian 4.0 (etch):
  http://www.debian.org/security/2008/dsa-1571
• Ubuntu 7.04 (Feisty), 7.10 (Gutsy), 8.04 LTS (Hardy):
  http://www.ubuntu.com/usn/usn-612-1
• and other debian etch based distros.

Read the rest of this entry »

A while ago, I have linked an interesting story about the ethereal name change to wireshark. If you are a tethereal user (the console version of ethereal) and using Debian testing (like I am) you will notice that the Debian developers have pushed the new version with the changed name into Etch repositories. If for ethereal the correspondent is wireshark, for tethereal this is tshark (and not twireshark as you might have expected).
When you will install the new version this will remove the ethereal package and we will remain with wireshark.

Read the rest of this entry »