krb5 / Lenny status
Here's the update on krb5 for Debian Lenny, based on a mail from Russ
Allbery: (The status of Etch has changed; it isn't affected at all).
* MIT Kerberos itself does not generate long-term key pairs even when the
PKINIT plugin is used, so any vulnerable long-term key pairs would have
been generated outside of the MIT Kerberos software itself. The PKINIT
plugin only references existing key pairs and isn't responsible for key
management.
* All of the random session key generation inside the PKINIT plugin is
done using the regular MIT Kerberos random key functions, *not* the
OpenSSL random number generator, and hence sessions created via PKINIT
are not subject to this vulnerability.
MIT Kerberos itself is not in affected. However, long-term key pairs used
with PKINIT may be affected if generated on an affected Debian system, but
such generation is external to MIT Kerberos.
Reply to: