[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#490185: marked as done (openssh-client: openssh-vulnkey does not find compromised keys with 4096 bit keys)

Your message dated Thu, 10 Jul 2008 17:56:18 +0100
with message-id <20080710165618.GD17016@riva.ucam.org>
and subject line Re: Bug#490185: openssh-client: openssh-vulnkey does not find compromised keys with 4096 bit keys
has caused the Debian Bug report #490185,
regarding openssh-client: openssh-vulnkey does not find compromised keys with 4096 bit keys
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
490185: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=490185
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: openssh-client
Version: 1:4.3p2-9etch2
Severity: grave
Tags: security
Justification: user security hole


The openssh client and openssh-vulnkey do not check for 4096 bit
comprimised keys as the sid version does. So the user will not find
these compromised keys when checking with openssh-vulnkey and the ssh
server will accept connections with these keys.

Please supply a package like in sid which also checks for 4096 (and
other?) bit keys.

Christoph

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (900, 'stable'), (70, 'testing'), (50, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.22-4-686-bigmem
Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro (charmap=ISO-8859-15)

Versions of packages openssh-client depends on:
ii  add 3.102                                Add and remove users and groups
ii  deb 1.5.11etch1                          Debian configuration management sy
ii  dpk 1.13.25                              package maintenance system for Deb
ii  lib 2.3.6.ds1-13etch5                    GNU C Library: Shared libraries
ii  lib 1.39+1.40-WIP-2006.11.14+dfsg-2etch1 common error description library
ii  lib 2.9.cvs.20050518-2.2                 BSD editline and history libraries
ii  lib 1.4.4-7etch5                         MIT Kerberos runtime libraries
ii  lib 5.5-5                                Shared libraries for terminal hand
ii  lib 0.9.8c-4etch3                        SSL shared libraries
ii  pas 1:4.0.18.1-7                         change and administer password and
ii  zli 1:1.2.3-13                           compression library - runtime

openssh-client recommends no packages.

-- no debconf information

--- End Message ---
--- Begin Message --- 
On Thu, Jul 10, 2008 at 05:28:19PM +0200, Christoph Martin wrote:
> The openssh client and openssh-vulnkey do not check for 4096 bit
> comprimised keys as the sid version does. So the user will not find
> these compromised keys when checking with openssh-vulnkey and the ssh
> server will accept connections with these keys.
> 
> Please supply a package like in sid which also checks for 4096 (and
> other?) bit keys.

Install the openssh-blacklist-extra package.

Regards,

-- 
Colin Watson                                       [cjwatson@debian.org]

--- End Message ---
Reply to: