[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator

Jan Luehr wrote:
> Hello,
> 
> Am Dienstag, 13. Mai 2008 schrieb Vincent Bernat:
>> OoO En ce  début d'après-midi nuageux du mardi 13  mai 2008, vers 14:06,
>>
>> Florian Weimer <fw@deneb.enyo.de> disait:
>>> Package        : openssl
>>> Vulnerability : predictable random number generator
>> Some other random questions:
>>  - It seems  that firefox does not handle  CRL unless manually imported,
>>    correct? This  means that in  most cases already  issued certificates
>>    are still  vulnerable even revoked. A  quick look seems  to show that
>>    most software do not handle CRL at all.
>>  - As a  maintainer of a package that  have generated certificates using
>>    OpenSSL, how should we handle the issue?
>>
>> For the last question, I see several solutions:
>>  - the user has to read the DSA and handle it himself
> 
> Since some keys are generated automatically, (e.g. ssh host keys) users will 
> have to regenerate keys,they haven't generated in the first place and might 
> not be aware of their existens.
> That's bad.

Unless I'm gravely mistaken, SSH keys aren't affected by this
vulnerability. OpenSSH and OpenSSL are separate, and your ssh program
generated its own keys.

-Corey
Reply to: