Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator
Jan Luehr wrote:
> Hello,
>
> Am Dienstag, 13. Mai 2008 schrieb Corey Hickey:
>> Jan Luehr wrote:
>>> Hello,
>>>
>>> Am Dienstag, 13. Mai 2008 schrieb Vincent Bernat:
>>>> OoO En ce début d'après-midi nuageux du mardi 13 mai 2008, vers 14:06,
>>>>
>>>> Florian Weimer <fw@deneb.enyo.de> disait:
>>>>> Package : openssl
>>>>> Vulnerability : predictable random number generator
>>>> Some other random questions:
>>>> - It seems that firefox does not handle CRL unless manually imported,
>>>> correct? This means that in most cases already issued certificates
>>>> are still vulnerable even revoked. A quick look seems to show that
>>>> most software do not handle CRL at all.
>>>> - As a maintainer of a package that have generated certificates using
>>>> OpenSSL, how should we handle the issue?
>>>>
>>>> For the last question, I see several solutions:
>>>> - the user has to read the DSA and handle it himself
>>> Since some keys are generated automatically, (e.g. ssh host keys) users
>>> will have to regenerate keys,they haven't generated in the first place
>>> and might not be aware of their existens.
>>> That's bad.
>> Unless I'm gravely mistaken, SSH keys aren't affected by this
>> vulnerability. OpenSSH and OpenSSL are separate, and your ssh program
>> generated its own keys.
>
> As stated in the DSA:
> »Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key
> material for use in X.509 certificates and session keys used in SSL/TLS
> connections. Keys generated with GnuPG or GNUTLS are not affected,
> though.«
Yeah, I just realized OpenSSH uses libSSL; sorry for the noise.
-Corey
Reply to: