Tuesday, May 13, 2008

Epic Fail: Debian Distributes Faulty OpenSSL

Debian released a security vulnerability alert concerning their version of OpenSSL where a package maintainer (accidentally?) removed the random number seeding mechanism in the cryptographic key generator. Therefore it makes the resulting keys guessable, hence useless. Every key generated on Debian since 2006 (this includes Etch) with the faulty program should be revoked and regenerated. This bug is not present in the official OpenSSL sources or in other non-Debian distributions. It only occurs in the Debian version of OpenSSL beginning with version 0.9.8c-1, but is fixed in the latest version of the package (0.9.8c-4etch3, which is safe to use).

No comments: