[vox-tech] Security Alert: Debian OpenSSL flaw affects many systems

Ken Bloom kbloom at gmail.com
Thu May 15 15:18:52 PDT 2008


On Thu, 2008-05-15 at 14:29 -0700, Jeffrey Nonken wrote:
> http://www.linux.com/feature/135270

This paragraph is probably wrong:

> Debian and derivative distribution users can use the apt-get upgrade
> command to replace vulnerable keys on their systems, and Ubuntu users
> applying the security patches which appeared yesterday will have their
> weak keys replaced automatically, but as Moore points out, that
> doesn't solve the problems caused by weak keys being used to sign
> certificates or copied to other servers.

More detailed information is available at http://wiki.debian.org/SSLkeys

Note that the vulnerability meant that only 2^15 different keys of each
size were being generated. This is an incredibly small number, and I'm
sure many hackers have dictionaries of the entire key set now to break
in to systems with affected authorized_keys files.


More information about the vox-tech mailing list