Hopefully by now most debian sysadmins have updated their systems and regenerated any weak openssl keys found. After the disclosure from last week, the debian team has done a great job to identify any possible affected program and any type of key, and for sure there are many .
Special pages were created to help peoples migrate their keys and also to identify if their keys are weak or not. In my previous post I have discussed howto indentify and regenerate the ssh vulnerable keys, obviously the most targeted by attacks against this issue. This post will answer the questions I have received on email on how you can identify and regenerate apache PEM keys (SSL certificates).

Read the rest of this entry »

Yesterday, 13 May 2008, was a really bad day for the Debian project, probably one of the worst days in the history of Debian. Luciano Bello discovered that the random number generator in Debian’s openssl package is predictable. This is caused by an incorrect Debian-specific change to the openssl package (CVE-2008-0166). As a result, cryptographic key material may be guessable.

Systems which are running any of the following releases are affected :

• Debian 4.0 (etch):
  http://www.debian.org/security/2008/dsa-1571
• Ubuntu 7.04 (Feisty), 7.10 (Gutsy), 8.04 LTS (Hardy):
  http://www.ubuntu.com/usn/usn-612-1
• and other debian etch based distros.

Read the rest of this entry »