Bug#481446: closed by Colin Watson <cjwatson@debian.org> (Re: Bug#481446: openssh-server: openssh does not start complaining about comprimised keys with new generated keys)
On Fri, May 16, 2008 at 11:57:16AM +0200, Michael Schwartzkopff wrote:
> thanks for the explanation. I understood that my system still creates
> comprimised keys. I did a full apt-get update and apt-get upgrade. After
> thank I installed ssh with
> apt-get install openssh-server openssh-client
>
> When I create a new host key with
> ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key
>
> this key is also compromised. I checked it. So why is that, although I have:
> xen00:~# dpkg -l libssl0.9.8
> Desired=Unknown/Install/Remove/Purge/Hold
> | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
> |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err:
> uppercase=bad)
> ||/ Name Version Description
> +++-==============-==============-============================================
> ii libssl0.9.8 0.9.8g-1 SSL shared libraries
I don't know how you managed it (given that openssh-server depends on a
good enough version; perhaps you have it on hold or something?), but
that version of libssl0.9.8 is absolutely vulnerable. You need to
upgrade to 0.9.8g-9 or newer.
Cheers,
--
Colin Watson [cjwatson@debian.org]
Reply to: