Bug#482023: marked as done (new generated keys are vulnerable)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Mon, 10 Feb 2014 03:28:01 +0000
with message-id <20140210032801.GA23430@riva.ucam.org>
and subject line Re: Bug#482023: new generated keys are vulnerable
has caused the Debian Bug report #482023,
regarding new generated keys are vulnerable
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
482023: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=482023
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: new generated keys are vulnerable
• From: Uwe Kleine-König <Uwe.Kleine-Koenig@digi.com>
• Date: Tue, 20 May 2008 10:43:17 +0200
• Message-id: <20080520084317.GA6852@digi.com>

Package: openssh-server
Version: 1:4.3p2-9etch2
Severity: normal

after installing 1:4.3p2-9etch2 my host keys were regenerated, but the
new keys are reported to be vulnerable, too.  I can reproduce that:

	# vim /var/cache/debconf/config.dat
	... delete seen flag for ssh/vulnerable_host_keys

	# dpkg-reconfigure openssh-server
	... message "Vulnerable host keys will be regenerated"

	Creating SSH2 RSA key; this may take some time ...
	Creating SSH2 DSA key; this may take some time ...
	Host key 15:2b:b1:5a:26:05:5b:ca:45:39:ea:12:a2:59:ea:dc blacklisted (see ssh-vulnkey(1))
	Host key 81:bc:50:f6:1e:ab:5d:82:96:ca:3c:4f:90:22:23:c5 blacklisted (see ssh-vulnkey(1))
	Restarting OpenBSD Secure Shell server: sshdHost key 15:2b:b1:5a:26:05:5b:ca:45:39:ea:12:a2:59:ea:dc blacklisted (see ssh-vulnkey(1))
	Host key 81:bc:50:f6:1e:ab:5d:82:96:ca:3c:4f:90:22:23:c5 blacklisted (see ssh-vulnkey(1))
	.

After repeating the above receipt the key fingerprints change.

The problem is that my system has a libssl from testing (i.e. 0.9.8g-8).
Maybe openssh-server should conflict with the vulnerable versions of
libssl?  Or the newly generated keys should be checked resulting in a
warning if they are still vulnerable.

A fixed libssl version for testing-proposed-updated would be
great, too.  (But this it OT for this report.)

Installing libssl from unstable and reconfiguring openssh-server (after
deleting the seen flag) fixed the problem.

Best regards
Uwe

-- System Information:
Debian Release: 4.0
  APT prefers proposed-updates
  APT policy: (900, 'proposed-updates'), (900, 'stable'), (300, 'testing-proposed-updates'), (300, 'testing'), (200, 'unstable'), (2, 'experimental')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.24-1-amd64
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages openssh-server depends on:
ii  add 3.102                                Add and remove users and groups
ii  deb 1.5.11etch2                          Debian configuration management sy
ii  dpk 1.14.16.6                            package maintenance system for Deb
ii  lib 2.7-10                               GNU C Library: Shared libraries
ii  lib 1.39+1.40-WIP-2006.11.14+dfsg-2etch1 common error description library
ii  lib 1.6.dfsg.3~beta1-4                   MIT Kerberos runtime libraries
ii  lib 0.79-5                               Pluggable Authentication Modules f
ii  lib 0.79-5                               Runtime support for the PAM librar
ii  lib 0.99.7.1-6                           Pluggable Authentication Modules l
ii  lib 1.32-3                               SELinux shared libraries
ii  lib 0.9.8g-8                             SSL shared libraries
ii  lib 7.6.dbs-13                           Wietse Venema's TCP wrappers libra
ii  ope 0.1.1                                list of blacklisted OpenSSH RSA an
ii  ope 1:4.3p2-9etch2                       Secure shell client, an rlogin/rsh
ii  zli 1:1.2.3.3.dfsg-12                    compression library - runtime

openssh-server recommends no packages.

-- debconf information:
* ssh/vulnerable_host_keys:
  ssh/new_config: true
* ssh/use_old_init_script: true
  ssh/encrypted_host_key_but_no_keygen:
  ssh/disable_cr_auth: false

-- 
Uwe Kleine-König, Software Engineer
Digi International GmbH Branch Breisach, Küferstrasse 8, 79206 Breisach, Germany
Tax: 315/5781/0242 / VAT: DE153662976 / Reg. Amtsgericht Dortmund HRB 13962

--- End Message ---

--- Begin Message ---

• To: Uwe Kleine-König <Uwe.Kleine-Koenig@digi.com>, 482023-close@bugs.debian.org
• Cc: Florian Weimer <fw@deneb.enyo.de>
• Subject: Re: Bug#482023: new generated keys are vulnerable
• From: Colin Watson <cjwatson@debian.org>
• Date: Mon, 10 Feb 2014 03:28:01 +0000
• Message-id: <20140210032801.GA23430@riva.ucam.org>
• In-reply-to: <20080520121655.GA8342@digi.com>
• References: <20080520084317.GA6852@digi.com> <87bq318bhq.fsf@mid.deneb.enyo.de> <20080520121655.GA8342@digi.com>

On Tue, May 20, 2008 at 02:16:55PM +0200, Uwe Kleine-König wrote:
> Florian Weimer wrote:
> > testing has received the fixed version on 2008-05-11.  There's no need
> > to involve testing-proposed-updates.
> 
> You're right.  I saw that I got a new openssl after I installed the
> security updates and already thought that this part of my report is
> obsolete.  As usual that happend after sending the report :-(

It looks like this bug has been long since handled, so closing.

Thanks,

-- 
Colin Watson                                       [cjwatson@debian.org]

--- End Message ---