• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

Debian OpenSSL: All Debian (Ubuntu) Users MUST READ

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.
Captain Newbie

Captain Newbie

Senior Django-loving Member
Joined
Jan 2, 2004
Location
Right seat with a bored "don't kill me" expression
Ubuntu users: OFFICAL ADVISORY
Debian users: OFFICIAL ADVISORY

All users: Metasploit summary of OpenSSL vulnerability

Summary: A weakness has been found in the Debian (and Ubuntu) openssl package, making its "pseudorandom number generator" (PRNG) into a predictable random number generator (also a PRNG :) ). In short, the keys generated by openssl may not be as robust as they should be (indeed, possibly easily breached in a matter of six hours or so of CPU time).

From the Ubuntu advisory:
Code: 
All OpenSSH and X.509 keys generated on such systems must be
 considered untrustworthy, regardless of the system on which they are used,
 even after the update has been applied.

Ubuntu and Debian users should execute the following:
Code: 
sudo apt-get update
sudo apt-get install openssl
...to update libssl to the latest (not vulnerable) version.
 
Interesting. I noticed an openSSL vulnerability or something warning yesterday on all three of my ubuntu 7.1 VMs while running the software updater. I didn't pay much attention to it.

Thanks for the heads-up. :thup:
 
I'd bet this comes from the classic problem of programmers that really don't understand mathematics trying to make "random" number generators "more random" by throwing in a few more calculations. Without fail, such procedures make LESS random numbers. There is a reason that random number generators are implemented the way they are. They are highly thought out by talented mathematicians to produce the best pseudorandom numbers possible.

Interesting that it's only Debian and Ubuntu.
 
MRD said:
I'd bet this comes from the classic problem of programmers that really don't understand mathematics trying to make "random" number generators "more random" by throwing in a few more calculations. Without fail, such procedures make LESS random numbers. There is a reason that random number generators are implemented the way they are. They are highly thought out by talented mathematicians to produce the best pseudorandom numbers possible.

Interesting that it's only Debian and Ubuntu.
Click to expand...

Yeah, it's really stupid when they do that.

Actually, I believe what happened was that one of the Debian maintainers commented out some code to make it easier to debug and his changes got committed.

Edit: http://blog.drinsama.de/erich/en/linux/2008051401-debian-openssl-desaster.html
 
Last edited:
MRD said:
I'd bet this comes from the classic problem of programmers that really don't understand mathematics trying to make "random" number generators "more random" by throwing in a few more calculations. Without fail, such procedures make LESS random numbers. There is a reason that random number generators are implemented the way they are. They are highly thought out by talented mathematicians to produce the best pseudorandom numbers possible.

Interesting that it's only Debian and Ubuntu.
Click to expand...

Uncertain at best if it extends to more distributions...The problem comes also from assuming that getpid(2) will be sufficiently random (no, it's not!).

Stupidity on the part of that Debian maintainer; and that's the problem with traditional SCM. You have created this class of people with commit access who are ostensibly not idiots. But sometimes they are.

I'm too busy fiddling with my piece-of-**** (it's not, but something's wrong) EP35 at the moment to examine other distributions' sources.
 
You must log in or register to reply here.

Similar threads

cw823
MDADM RAID Guide (via Ubuntu)
Replies
9
Views
27K
\dev\goat
\dev\goat
Sydney
A guide to folding under Linux
2 3 4
Replies
65
Views
12K
HankB
HankB
C
squidguard hates me
Replies
1
Views
6K
CougarSE
C
Back