On Thu, May 15, 2008 at 10:37:37AM +1000, Andrew McGlashan wrote:
> Okay, if we updated (on stable):
> openssl_0.9.8c-4etch3_i386.deb
> libssl0.9.8_0.9.8c-4etch3_i386.deb
> Then re-generated all keys and certificates.....
Then you are fine.
> Later we get these updates:
> openssh-server_1%3a4.3p2-9etch1_i386.deb
> openssh-client_1%3a4.3p2-9etch1_i386.deb
> So, do we need to re-generate keys and certs again now or will they be fine?
You don't need to re-generate keys again. The problem was in the libssl
package and was solved with libssl0.9.8_0.9.8c-4etch3_i386.deb. So, the
keys you generated after the libssl0.9.8 update are fine.
All the updated openssh-packages do regarding to this issue is trying to
ensure you don't use weak keys in the future (i.e. harden dependencies,
regenerate known-weak host keys and refuse known-weak keys for
authentication).
The way you have chosen was absolutely correct.
regards
Mario
--
Computer games don't affect kids; I mean if Pac-Man affected us as kids,
we'd all be running around in darkened rooms, munching magic pills and
listening to repetitive electronic music.
-- Kristian Wilson, Nintendo Inc, 1989
Attachment:
signature.asc
Description: Digital signature