[Pkg-openssl-devel] [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator
Rene Mayrhofer
rene.mayrhofer at gibraltar.at
Wed May 14 10:50:10 UTC 2008
[Sorry for CCing people again, but I think that this issue will need close
co-operation by everybody involved.]
On Mittwoch, 14. Mai 2008, Thijs Kinkhorst wrote:
> That page unfortunately falls through the cracks as we're all very busy
> with preparing the DSA or responding to the various issues coming up or
> fixing our own machines (I am still working on 30 at the moment) . It would
> be a great help if the page could be filled with information as it is
> currently on the wiki. I think the people with current webwml access are
> trusted enough to use their own judgment in making that page.
What's the current status concerning an automated "fixer" package that would
do all the work of re-created the keys like the openssh-server package
currently does? I don't think it's reasonable to just distribute the fixed
openssl and say (only implicitly within the DSA, which people might not read
in detail) to our users something along the lines of "your keys created in
the past 2 years are completely broken and all your crypto is insecure - doh,
but you're on your own". I also don't think it's reasonable for all packages
that somehow use(d) openssl to create keys to do their own security fix as
openssh-server did (for openssh, I think that's a good thing because it's the
primary entry point for additional, potentially manual fixing). Fixing
different packages should be able to re-use code and would only bother the
user/admin once.
As it stands now, I don't think this issue is fixed from a user point of view
(just thinking about user ssh keys, which are still wide open....).
> If you and/or the people from debian-www have any content to add to the
> page: feel very free to start!
As the open/strongswan maintainer, I would like to ask you (Gerfried or
anybody with commit access and some free time to do it asap) to add what I
said in my original email to this page, i.e. how to re-create the
automatically generated X.509 certificates and the note that user-generated
certificates in the specified directories under /etc/ipsec.d/ may also need
to be re-created.
If you need any more details from me, please ask as soon as possible, as I
will be offline in about 6h and stay offline for the next 3 days at least.
best regards,
Rene
--
-------------------------------------------------
Gibraltar firewall http://www.gibraltar.at/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20080514/50072604/attachment-0001.pgp
More information about the Pkg-openssl-devel
mailing list