From f2a7626a59e3df619d04082c7c7942492e886c03 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Tue, 13 May 2008 11:32:12 +0000 Subject: update from mdz --- debian/README.compromised-keys | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) (limited to 'debian') diff --git a/debian/README.compromised-keys b/debian/README.compromised-keys index c3e6cbbf2..048aadd04 100644 --- a/debian/README.compromised-keys +++ b/debian/README.compromised-keys @@ -5,9 +5,14 @@ Matt Zimmerman, assisted by Colin Watson. A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption -keys are generated much more frequently than they should be, such that an -attacker could guess the key through a brute-force attack given minimal -knowledge of the system. +keys are much more common than they should be, such that an attacker could +guess the key through a brute-force attack given minimal knowledge of the +system. This particularly affects the use of encryption keys in OpenSSH, +OpenVPN and SSL certificates. + +This vulnerability only affects operating systems which (like Ubuntu) are based +on Debian. However, other systems can be indirectly affected if weak keys are +imported into them. We consider this an extremely serious vulnerability, and urge all users to act immediately to secure their systems. @@ -97,7 +102,8 @@ OpenSSH: ssh-vulnkey /path/to/key If ssh-vulnkey says "No blacklist file", then it has no information - about whether that key is affected. + about whether that key is affected. If in doubt, destroy the key and + generate a new one. 4. Regenerate any affected user keys -- cgit v1.2.3