Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator
Hello,
Am Dienstag, 13. Mai 2008 schrieb Corey Hickey:
> Jan Luehr wrote:
> > Hello,
> >
> > Am Dienstag, 13. Mai 2008 schrieb Vincent Bernat:
> >> OoO En ce début d'après-midi nuageux du mardi 13 mai 2008, vers 14:06,
> >>
> >> Florian Weimer <fw@deneb.enyo.de> disait:
> >>> Package : openssl
> >>> Vulnerability : predictable random number generator
> >>
> >> Some other random questions:
> >> - It seems that firefox does not handle CRL unless manually imported,
> >> correct? This means that in most cases already issued certificates
> >> are still vulnerable even revoked. A quick look seems to show that
> >> most software do not handle CRL at all.
> >> - As a maintainer of a package that have generated certificates using
> >> OpenSSL, how should we handle the issue?
> >>
> >> For the last question, I see several solutions:
> >> - the user has to read the DSA and handle it himself
> >
> > Since some keys are generated automatically, (e.g. ssh host keys) users
> > will have to regenerate keys,they haven't generated in the first place
> > and might not be aware of their existens.
> > That's bad.
>
> Unless I'm gravely mistaken, SSH keys aren't affected by this
> vulnerability. OpenSSH and OpenSSL are separate, and your ssh program
> generated its own keys.
As stated in the DSA:
»Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key
material for use in X.509 certificates and session keys used in SSL/TLS
connections. Keys generated with GnuPG or GNUTLS are not affected,
though.«
Keep smiling
yanosz
Reply to: