Bug#485408: marked as done (openssh-client: ssh-keygen generates COMPROMISED keys after recent upgrade)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Mon, 9 Jun 2008 11:52:20 +0100
with message-id <20080609105220.GI16645@riva.ucam.org>
and subject line Re: Bug#485408: openssh-client: ssh-keygen generates COMPROMISED keys after recent upgrade
has caused the Debian Bug report #485408,
regarding openssh-client: ssh-keygen generates COMPROMISED keys after recent upgrade
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
485408: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=485408
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: openssh-client: ssh-keygen generates COMPROMISED keys after recent upgrade
• From: Urban Braendstroem <urban.brandstrom@irf.se>
• Date: Mon, 09 Jun 2008 09:40:31 +0000
• Message-id: <20080609094031.3391.17949.reportbug@sofia>

Package: openssh-client
Version: 1:4.3p2-9etch2
Severity: grave
Tags: security
Justification: user security hole

ssh-keygen generates COMPROMISED keys after recent upgrade of etch

Example:
$ ssh -V     
OpenSSH_4.3p2 Debian-9etch2, OpenSSL 0.9.8e 23 Feb 2007
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/urban/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/urban/.ssh/id_rsa.
Your public key has been saved in /home/urban/.ssh/id_rsa.pub.
The key fingerprint is:
cf:f1:d8:16:c2:2c:bf:db:de:f0:24:75:95:33:92:e0 urban@sofia
$ ssh-vulnkey
....
COMPROMISED: 2048 cf:f1:d8:16:c2:2c:bf:db:de:f0:24:75:95:33:92:e0 
/home/urban/.ssh/id_rsa.pub

The following OLDER version of ssh seems NOT to exhibit this problem:
$ ssh -V
OpenSSH_4.3p2 Debian-9etch1, OpenSSL 0.9.8c 05 Sep 2006
ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/urban/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/urban/.ssh/id_rsa.
Your public key has been saved in /home/urban/.ssh/id_rsa.pub.
The key fingerprint is:
26:3c:5d:20:96:b6:48:4b:20:80:87:2f:bb:b7:08:51 urban@urban1e
urban@urban1e:~/.ssh$ ssh-vulnkey
....
Not blacklisted: 2048 26:3c:5d:20:96:b6:48:4b:20:80:87:2f:bb:b7:08:51 
/home/urban/.ssh/id_rsa.pub
....




-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages openssh-client depends on:
ii  add 3.102                                Add and remove users and groups
ii  deb 1.5.13                               Debian configuration management sy
ii  dpk 1.13.25                              package maintenance system for Deb
ii  lib 2.3.6.ds1-13etch5                    GNU C Library: Shared libraries
ii  lib 1.39+1.40-WIP-2006.11.14+dfsg-2etch1 common error description library
ii  lib 2.9.cvs.20050518-3                   BSD editline and history libraries
ii  lib 1.4.4-7etch5                         MIT Kerberos runtime libraries
ii  lib 5.5-5                                Shared libraries for terminal hand
ii  lib 0.9.8e-4                             SSL shared libraries
ii  pas 1:4.0.18.1-7                         change and administer password and
ii  zli 1:1.2.3-13                           compression library - runtime

openssh-client recommends no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

• To: 485408-done@bugs.debian.org
• Subject: Re: Bug#485408: openssh-client: ssh-keygen generates COMPROMISED keys after recent upgrade
• From: Colin Watson <cjwatson@debian.org>
• Date: Mon, 9 Jun 2008 11:52:20 +0100
• Message-id: <20080609105220.GI16645@riva.ucam.org>
• In-reply-to: <20080609094031.3391.17949.reportbug@sofia>
• References: <20080609094031.3391.17949.reportbug@sofia>

On Mon, Jun 09, 2008 at 09:40:31AM +0000, Urban Braendstroem wrote:
> ssh-keygen generates COMPROMISED keys after recent upgrade of etch

The relevant thing is the version of libssl0.9.8. You have:

> ii  lib 0.9.8e-4                             SSL shared libraries

It looks like you upgraded to the version from testing or unstable at
some point, but are otherwise still running stable; you haven't been
getting libssl0.9.8 updates for three months. Either downgrade to the
version in stable-security or upgrade to the current version in testing.

Unfortunately it is impractical to add conflicts for this because of the
wide range of versions affected and the numerous fixed branches off
those, in Debian and Ubuntu and quite possibly other Debian-based
distributions.

Regards,

-- 
Colin Watson                                       [cjwatson@debian.org]

--- End Message ---