Bug#482023: new generated keys are vulnerable

To: Uwe Kleine-König <Uwe.Kleine-Koenig@digi.com>
Cc: 482023@bugs.debian.org
Subject: Bug#482023: new generated keys are vulnerable
From: Florian Weimer <fw@deneb.enyo.de>
Date: Tue, 20 May 2008 13:24:01 +0200
Message-id: <[🔎] 87bq318bhq.fsf@mid.deneb.enyo.de>
Reply-to: Florian Weimer <fw@deneb.enyo.de>, 482023@bugs.debian.org
In-reply-to: <[🔎] 20080520084317.GA6852@digi.com> ("Uwe Kleine-König"'s message of "Tue, 20 May 2008 10:43:17 +0200")
References: <[🔎] 20080520084317.GA6852@digi.com>

* Uwe Kleine-König:

> The problem is that my system has a libssl from testing
> (i.e. 0.9.8g-8).

Yeah, there isn't a good way to deal with that, especially as soon as
backports and locally built packages are involved.

debsecan and the security tracker try to deal with this, but they can't
handle backports, either (but they tend to give false positives in that
case).

> Maybe openssh-server should conflict with the vulnerable versions of
> libssl?

The list is pretty long, so this is hardly feasible.

> Or the newly generated keys should be checked resulting in a warning
> if they are still vulnerable.

That's probably a good idea.

> A fixed libssl version for testing-proposed-updated would be
> great, too.  (But this it OT for this report.)

testing has received the fixed version on 2008-05-11.  There's no need
to involve testing-proposed-updates.

Reply to:

Follow-Ups:
- Bug#482023: new generated keys are vulnerable
  - From: Uwe Kleine-König <Uwe.Kleine-Koenig@digi.com>

References:
- Bug#482023: new generated keys are vulnerable
  - From: Uwe Kleine-König <Uwe.Kleine-Koenig@digi.com>

Prev by Date: Bug#482025: openssh-client: Hashed keys by ssh-keyscan are not accepted by ssh client.
Next by Date: Bug#482023: new generated keys are vulnerable
Previous by thread: Bug#482023: new generated keys are vulnerable
Next by thread: Bug#482023: new generated keys are vulnerable
Index(es):
- Date
- Thread