Stories Of Nerdy Adventures (Now With 100% More Cetaceans)
Tuesday, May 13, 2008
Epic Fail: Debian Distributes Faulty OpenSSL
Debian released a security vulnerability alert concerning their version of OpenSSL where a package maintainer (accidentally?) removed the random number seeding mechanism in the cryptographic key generator. Therefore it makes the resulting keys guessable, hence useless. Every key generated on Debian since 2006 (this includes Etch) with the faulty program should be revoked and regenerated. This bug is not present in the official OpenSSL sources or in other non-Debian distributions. It only occurs in the Debian version of OpenSSL beginning with version 0.9.8c-1, but is fixed in the latest version of the package (0.9.8c-4etch3, which is safe to use).